Infected via Messenger

View previous topic View next topic Go down

Solved Infected via Messenger

Post by Stockers16 on 2nd February 2009, 12:55 pm

Hi all, you helped me out once before with a different PC...

This is my desktop, and somebody other than myself was using it. They were using msn and offered a photo (unsure if it was a link or a recieved file).

Symptoms;
- Sites like myspace, facebook, gmail etc won't log in
- Windows live messenger won't sign in, despite connectivity test pass
- Downloads seem slowed (i have a substantial broadband plan and yet d/l are highly retarded)

Could be more, not sure yet...

Hijackthis log to follow

Stockers16
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-02-02
OS OS : Vista 32bit
Points Points : 28660
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected via Messenger

Post by Stockers16 on 2nd February 2009, 1:09 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:25 PM, on 2/2/1981
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Dort\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IOIMP6DO\Hijack(GP)This[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17] P17Def.Exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: TL-WN320G 1.0 Utility.lnk = C:\Program Files\Wireless LAN Utility\SiWake.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\Windows\system32\acs.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4546 bytes

Stockers16
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-02-02
OS OS : Vista 32bit
Points Points : 28660
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected via Messenger

Post by Belahzur on 2nd February 2009, 1:45 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Right click DDS.scr > Run as administrator to run it.
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected via Messenger

Post by Stockers16 on 2nd February 2009, 1:52 pm

DDS (Ver_09-01-07.01) - NTFSx86
Run by Dort at 22:00:21.99 on Mon 02/02/1981
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3071.2243 [GMT 8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Dort\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [TWCU] "c:\program files\tp-link\twcu\TWCU.exe" -nogui
dRunOnce: [DefaultP17MIDI] MIDIDEF.EXE
dRunOnce: [DefaultP17] P17Def.Exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tl-wn3~1.lnk - c:\program files\wireless lan utility\SiWake.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

============= SERVICES / DRIVERS ===============

R4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [1981-2-2 1153368]

=============== Created Last 30 ================

1981-02-02 20:57 --d----- c:\programdata\Spybot - Search & Destroy
1981-02-02 20:57 --d----- c:\program files\Spybot - Search & Destroy
1981-02-02 20:57 --d----- c:\progra~2\Spybot - Search & Destroy
1981-02-02 19:57 --d----- c:\programdata\Media Center Programs
1981-02-02 19:57 --d----- c:\progra~2\Media Center Programs
1981-02-02 19:33 --d----- c:\program files\Ventrilo
1981-02-02 19:33 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
1981-02-02 19:32 --d----- c:\program files\common files\Wise Installation Wizard
1981-02-02 19:22 815,104 a------- c:\windows\system32\xvidcore.dll
1981-02-02 19:22 180,224 a------- c:\windows\system32\xvidvfw.dll
1981-02-02 19:22 77,824 a------- c:\windows\system32\xvid.ax
1981-02-02 19:22 --d----- c:\program files\Xvid
1981-02-02 19:09 --d----- c:\program files\Bonjour
1981-02-02 19:09 --d----- c:\programdata\Apple
1981-02-02 19:04 1,524,736 a------- c:\windows\system32\wucltux.dll
1981-02-02 19:04 83,456 a------- c:\windows\system32\wudriver.dll
1981-02-02 19:04 162,064 a------- c:\windows\system32\wuwebv.dll
1981-02-02 19:04 31,232 a------- c:\windows\system32\wuapp.exe
1981-02-02 17:38 --d----- c:\users\dort\Tracing
1981-02-02 17:37 --d----- c:\program files\Microsoft
1981-02-02 17:36 --d----- c:\program files\Windows Live SkyDrive
1981-02-02 17:36 --d----- c:\windows\PCHEALTH
1981-02-02 17:19 --d----- c:\program files\common files\Windows Live
1981-02-02 17:13 -cdsh--- c:\program files\common files\WindowsLiveInstaller
1981-02-02 17:12 --d----- c:\program files\AVG
1981-02-02 17:12 --d----- c:\programdata\WLInstaller
1981-02-02 17:03 --dsh--- c:\windows\Installer
1981-02-02 16:48 26 a----r-- c:\windows\system32\net5211.cat
1981-02-02 16:48 463,168 a------- c:\windows\system32\ar5211.sys
1981-02-02 16:48 39,326 a------- c:\windows\system32\net5211.inf
1981-02-02 16:48 --d----- c:\windows\Options
1981-02-02 16:48 1,396,835 a------- c:\windows\system32\AegisE5.dll
1981-02-02 16:48 385,024 a------- c:\windows\system32\athcfg11.dll
1981-02-02 16:48 249,856 a------- c:\windows\system32\wgapi.dll
1981-02-02 16:48 237,568 a------- c:\windows\system32\wcapi.dll
1981-02-02 16:48 192,512 a------- c:\windows\system32\AegisI5.exe
1981-02-02 16:48 77,824 a------- c:\windows\system32\athcfg11res.dll
1981-02-02 16:48 36,864 a------- c:\windows\system32\acs.exe
1981-02-02 16:48 --d----- c:\program files\TP-LINK
1981-02-02 16:47 --d----- C:\temp
1981-02-02 16:45 --d----- c:\program files\Wireless LAN Utility
1981-02-02 16:45 74,240 -------- c:\windows\system32\drivers\sisnpf.sys
1981-02-02 16:45 --d----- c:\program files\SiS163u
1981-02-02 16:45 0 a------- c:\windows\system32\wunilog.ini
1981-02-02 16:20 133,632 a------- c:\windows\system32\CtDvInst.dll
1981-02-02 16:19 147,456 a------- c:\windows\system32\drivers\EL2K_XP.sys
1981-02-02 16:19 61,440 a------- c:\windows\system32\EL2K_CPP.dll
1981-02-02 16:05 --d----- c:\users\Dort

==================== Find3M ====================

2006-11-02 20:50 174 a--sh--- c:\program files\desktop.ini
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 18:32 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
1981-02-02 16:45 86,016 a------- c:\windows\inf\infstor.dat
1981-02-02 16:45 51,200 a------- c:\windows\inf\infpub.dat
1981-02-02 16:45 86,016 a------- c:\windows\inf\infstrng.dat

============= FINISH: 22:00:40.56 ===============

Stockers16
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-02-02
OS OS : Vista 32bit
Points Points : 28660
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected via Messenger

Post by Belahzur on 2nd February 2009, 3:52 pm

Log looks okay, what problems are you having?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected via Messenger

Post by Doctor Inferno on 9th May 2009, 10:10 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum