Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer hijacked


  • Please log in to reply
1 reply to this topic

#1 whatever559

whatever559

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 27 October 2010 - 08:04 PM

my sister'n'law's computer was acting funny, so what i did was get "teamviewer" and i installed hijackthis on her computer and i got a very, very hard to beat log. here it is:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:59:24 PM, on 10/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\access\access.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adik\Desktop\attachments_2010_10_27\TeamViewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.com/?cid=xfstart_eg_self_main
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.com/?cid=xfstart_eg_self_main
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25408
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 94.228.209.245 www.google.com
O1 - Hosts: 94.228.209.245 google.com
O1 - Hosts: 94.228.209.245 google.com.au
O1 - Hosts: 94.228.209.245 www.google.com.au
O1 - Hosts: 94.228.209.245 google.be
O1 - Hosts: 94.228.209.245 www.google.be
O1 - Hosts: 94.228.209.245 google.com.br
O1 - Hosts: 94.228.209.245 www.google.com.br
O1 - Hosts: 94.228.209.245 google.ca
O1 - Hosts: 94.228.209.245 www.google.ca
O1 - Hosts: 94.228.209.245 google.ch
O1 - Hosts: 94.228.209.245 www.google.ch
O1 - Hosts: 94.228.209.245 google.de
O1 - Hosts: 94.228.209.245 www.google.de
O1 - Hosts: 94.228.209.245 google.dk
O1 - Hosts: 94.228.209.245 www.google.dk
O1 - Hosts: 94.228.209.245 google.fr
O1 - Hosts: 94.228.209.245 www.google.fr
O1 - Hosts: 94.228.209.245 google.ie
O1 - Hosts: 94.228.209.245 www.google.ie
O1 - Hosts: 94.228.209.245 google.it
O1 - Hosts: 94.228.209.245 www.google.it
O1 - Hosts: 94.228.209.245 google.co.jp
O1 - Hosts: 94.228.209.245 www.google.co.jp
O1 - Hosts: 94.228.209.245 google.nl
O1 - Hosts: 94.228.209.245 www.google.nl
O1 - Hosts: 94.228.209.245 google.no
O1 - Hosts: 94.228.209.245 www.google.no
O1 - Hosts: 94.228.209.245 google.co.nz
O1 - Hosts: 94.228.209.245 www.google.co.nz
O1 - Hosts: 94.228.209.245 google.pl
O1 - Hosts: 94.228.209.245 www.google.pl
O1 - Hosts: 94.228.209.245 google.se
O1 - Hosts: 94.228.209.245 www.google.se
O1 - Hosts: 94.228.209.245 google.co.uk
O1 - Hosts: 94.228.209.245 www.google.co.uk
O1 - Hosts: 94.228.209.245 google.co.za
O1 - Hosts: 94.228.209.245 www.google.co.za
O1 - Hosts: 94.228.209.245 www.google-analytics.com
O1 - Hosts: 94.228.209.245 www.bing.com
O1 - Hosts: 94.228.209.245 search.yahoo.com
O1 - Hosts: 94.228.209.245 www.search.yahoo.com
O1 - Hosts: 94.228.209.245 uk.search.yahoo.com
O1 - Hosts: 94.228.209.245 ca.search.yahoo.com
O1 - Hosts: 94.228.209.245 de.search.yahoo.com
O1 - Hosts: 94.228.209.245 fr.search.yahoo.com
O1 - Hosts: 94.228.209.245 au.search.yahoo.com
O1 - Hosts: 94.228.209.245 www.youtube.com
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Xfinity.com Toolbar - {dcc70a83-e184-40a3-906b-779af5e941c4} - C:\Program Files\xfinitytb\xfinitydx.dll
O2 - BHO: Updater For Xfinity.com Toolbar 3.1 - {e6d0b79e-ecac-411b-8bf6-7a574981af30} - C:\Program Files\xfinitytb\auxi\xfinityAu.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Xfinity.com Toolbar - {dcc70a83-e184-40a3-906b-779af5e941c4} - C:\Program Files\xfinitytb\xfinitydx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O4 - HKLM\..\Run: [HKLM] C:\WINDOWS\access\access.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [HKCU] C:\WINDOWS\access\access.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cricket Broadband] C:\Program Files\Cricket\Cricket Broadband\Cricket Broadband.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\access\access.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\access\access.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280625189602
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 8658 bytes

i know the O1'S is bad, i just dont know how to remove them, someone said RogueKiller, but the more i read, that was sorta different situation than mine, so any help would be great, plus i only got like 2 hours, so please, help me. thanks.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:26 PM

Posted 28 October 2010 - 01:51 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users