Jump to content

Computer Hacked ** Please Help **


Recommended Posts

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Mohammed M Anwar at 23:38:05 on 2011-07-28

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.467 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe

C:\Program Files\Apoint\HidFind.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFRA.EXE

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Documents and Settings\Mohammed M Anwar\My Documents\Downloads\Defogger.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [Artisan 810(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe /fu "c:\windows\temp\E_S85.tmp" /EF "HKCU"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271810739328

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{49471088-17E4-46B3-9B7A-B3C1E113C8BC} : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\mohammed m anwar\application data\mozilla\firefox\profiles\5got3y4h.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]

R1 MpKsl26d2ae40;MpKsl26d2ae40;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{da5c29ec-8831-4f13-8ac8-8936571275ce}\mpksl26d2ae40.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{da5c29ec-8831-4f13-8ac8-8936571275ce}\MpKsl26d2ae40.sys [?]

R1 MpKsle454eab5;MpKsle454eab5;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a7cb397d-6a09-4f25-b8c5-c99f8a314046}\MpKsle454eab5.sys [2011-7-28 28752]

S1 MpKsl6f27950d;MpKsl6f27950d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{98ea0896-2fc0-4fe6-987a-fa7f43346039}\mpksl6f27950d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{98ea0896-2fc0-4fe6-987a-fa7f43346039}\MpKsl6f27950d.sys [?]

S1 MpKslb46f386b;MpKslb46f386b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48f36255-0261-4a35-b095-1460e70db1ba}\mpkslb46f386b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48f36255-0261-4a35-b095-1460e70db1ba}\MpKslb46f386b.sys [?]

S1 MpKsle6229897;MpKsle6229897;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c069908-b7a2-4ea3-9758-0dd56b2fc055}\mpksle6229897.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c069908-b7a2-4ea3-9758-0dd56b2fc055}\MpKsle6229897.sys [?]

S1 MpKslebb79043;MpKslebb79043;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48f36255-0261-4a35-b095-1460e70db1ba}\mpkslebb79043.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{48f36255-0261-4a35-b095-1460e70db1ba}\MpKslebb79043.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-17 136176]

S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-17 136176]

S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2010-5-14 28672]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

.

=============== Created Last 30 ================

.

2011-07-29 04:07:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-29 03:41:47 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a7cb397d-6a09-4f25-b8c5-c99f8a314046}\MpKsle454eab5.sys

2011-07-29 03:31:49 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a7cb397d-6a09-4f25-b8c5-c99f8a314046}\mpengine.dll

2011-07-10 22:02:04 -------- d-----w- c:\documents and settings\mohammed m anwar\application data\TeamViewer

2011-07-10 22:01:33 -------- d-----w- c:\program files\TeamViewer

2011-07-10 16:35:32 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-07-10 16:35:32 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 07:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 23:39:04.85 ===============

attach.rar

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, run DDS again and post its log.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.