sgregg
-
Posts
1 -
Joined
-
Last visited
This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Browser Hijack & Malware Bytes finds nothing.
in Resolved Malware Removal Logs
Posted
Hello All,
I am fighting with an XP machine that is seriously hijacked. I have updated & run MB repeatedly with no results. Following are the results from DDS:
-------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by ws10 at 7:56:11 on 2011-11-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2021.1576 [GMT -8:00]
.
AV: Trend Micro Client-Server Security Agent AntiVirus *Enabled/Updated* {897E75A8-3797-483E-ABF4-9E7684C8C4B2}
AV: Trend Micro Client-Server Security Agent AntiVirus *Enabled/Updated* {78157172-E76A-4C2B-84D0-BE47336BEB3E}
FW: Trend Micro Client-Server Security Agent Firewall *Disabled*
FW: Trend Micro Client-Server Security Agent Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\XJD853.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = <local>
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mPolicies-system: EnableLUA = 0 (0x0)
LSP: mswsock.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/setup.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{9D2A8DBB-4C26-4EBA-85AD-2BD9A57A2461} : NameServer = 10.7.1.26,4.2.2.2
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ws10\application data\mozilla\firefox\profiles\n26w2fqa.default\
FF - component: c:\program files\virtual firefox\extensions\fi@dictionaries.addons.mozilla.org\platform\winnt_x86-msvc\components\myspellext.dll
.
============= SERVICES / DRIVERS ===============
.
R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2008-7-11 191872]
R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-3-29 282704]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-23 576024]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-9-30 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-9-30 36368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-11-20 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-27 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-27 136176]
.
=============== Created Last 30 ================
.
2011-11-29 16:20:40 388096 ----a-r- c:\documents and settings\ws10\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-15 17:53:41 102400 ----a-w- c:\windows\RegBootClean.exe
2011-11-15 17:53:20 -------- d-----w- c:\program files\12D8C
2011-11-15 17:52:26 -------- d-----w- c:\documents and settings\ws10\application data\78612
2011-11-15 17:52:24 -------- d-----w- c:\program files\LP
2011-11-15 17:52:07 -------- d-----w- c:\documents and settings\ws10\application data\JtzPNycA1
2011-11-15 17:52:07 -------- d-----w- c:\documents and settings\ws10\application data\hWK8fRL9hXjC
2011-11-15 17:50:46 -------- d-----w- c:\documents and settings\ws10\application data\sPNycA1uv2n4m5W
2011-11-15 17:50:45 -------- d-----w- c:\documents and settings\ws10\application data\n6dWK7fRLhXjClB
2011-11-15 17:50:40 -------- d-----w- c:\documents and settings\ws10\application data\f7fEL9gTZjCkVzN
2011-11-15 17:50:38 -------- d-----w- c:\documents and settings\ws10\application data\oD2onF4pm5W7E8T
.
==================== Find3M ====================
.
2011-11-30 15:47:54 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2011-09-27 17:01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 7:56:30.29 ===============
-----------------------------------------------------------
attach.zip