Jump to content

Recommended Posts

Hello All,

I am fighting with an XP machine that is seriously hijacked. I have updated & run MB repeatedly with no results. Following are the results from DDS:

-------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by ws10 at 7:56:11 on 2011-11-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2021.1576 [GMT -8:00]

.

AV: Trend Micro Client-Server Security Agent AntiVirus *Enabled/Updated* {897E75A8-3797-483E-ABF4-9E7684C8C4B2}

AV: Trend Micro Client-Server Security Agent AntiVirus *Enabled/Updated* {78157172-E76A-4C2B-84D0-BE47336BEB3E}

FW: Trend Micro Client-Server Security Agent Firewall *Disabled*

FW: Trend Micro Client-Server Security Agent Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\TEMP\XJD853.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = <local>

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

mPolicies-system: EnableLUA = 0 (0x0)

LSP: mswsock.dll

DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/WinNTChk.cab

DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/setup.cab

DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://pataha.columbia.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: Interfaces\{9D2A8DBB-4C26-4EBA-85AD-2BD9A57A2461} : NameServer = 10.7.1.26,4.2.2.2

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ws10\application data\mozilla\firefox\profiles\n26w2fqa.default\

FF - component: c:\program files\virtual firefox\extensions\fi@dictionaries.addons.mozilla.org\platform\winnt_x86-msvc\components\myspellext.dll

.

============= SERVICES / DRIVERS ===============

.

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2008-7-11 191872]

R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-3-29 282704]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-23 576024]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-9-30 230928]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-9-30 36368]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-11-20 36608]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-27 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-27 136176]

.

=============== Created Last 30 ================

.

2011-11-29 16:20:40 388096 ----a-r- c:\documents and settings\ws10\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-11-15 17:53:41 102400 ----a-w- c:\windows\RegBootClean.exe

2011-11-15 17:53:20 -------- d-----w- c:\program files\12D8C

2011-11-15 17:52:26 -------- d-----w- c:\documents and settings\ws10\application data\78612

2011-11-15 17:52:24 -------- d-----w- c:\program files\LP

2011-11-15 17:52:07 -------- d-----w- c:\documents and settings\ws10\application data\JtzPNycA1

2011-11-15 17:52:07 -------- d-----w- c:\documents and settings\ws10\application data\hWK8fRL9hXjC

2011-11-15 17:50:46 -------- d-----w- c:\documents and settings\ws10\application data\sPNycA1uv2n4m5W

2011-11-15 17:50:45 -------- d-----w- c:\documents and settings\ws10\application data\n6dWK7fRLhXjClB

2011-11-15 17:50:40 -------- d-----w- c:\documents and settings\ws10\application data\f7fEL9gTZjCkVzN

2011-11-15 17:50:38 -------- d-----w- c:\documents and settings\ws10\application data\oD2onF4pm5W7E8T

.

==================== Find3M ====================

.

2011-11-30 15:47:54 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys

2011-09-27 17:01:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 7:56:30.29 ===============

-----------------------------------------------------------

attach.zip

Link to post
Share on other sites

Welcome to the forum.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.