Thread: Hijacked

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    0

    Hijacked


    i've been hijacked after downloading a webcam special effects program -.- first it ran great, then all of a sudden i started getting warnings that i got hijacked and my antivirus started bringing up the virus that were attacking but he couldnt do much about them, also drGuard started spamming me, i was getting some ".exe" all porn stuff really annoying. it even screwed my system restore and task manager.

    i followed the starting instructions and here are the logs

    ill start with mbam log then in the next posts ill give u the other logs


    PHP Code:
    Malwarebytes' Anti-Malware 1.44
    Database version: 3873
    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    3/16/2010 9:59:45 AM
    mbam-log-2010-03-16 (09-59-45).txt

    Scan type: Quick Scan
    Objects scanned: 113090
    Time elapsed: 6 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 3
    Registry Data Items Infected: 3
    Folders Infected: 1
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncman (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Windows\_VOIDvtpoweqkey (Rootkit.TDSS) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Users\francisco\syncman.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\System32\syncman.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\ProgramData\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Windows\System32\_VOIDgxcefbvffu.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. 
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    0
    heres the superantispyware log

    PHP Code:
    SUPERAntiSpyware Scan Log


    Generated 03
    /16/2010 at 11:15 AM

    Application Version 
    4.34.1000

    Core Rules Database Version 
    4681
    Trace Rules Database Version
    2493

    Scan type       
    Complete Scan
    Total Scan Time 
    00:46:13

    Memory items scanned      
    791
    Memory threats detected   
    0
    Registry items scanned    
    9630
    Registry threats detected 
    0
    File items scanned        
    29413
    File threats detected     
    2

    Adware
    .Tracking Cookie
        C
    :\Users\Francisco\AppData\Roaming\Microsoft\Windows\Cookies\francisco@atdmt[2].txt

    Trojan
    .Agent/Gen-RogueAV
        C
    :\USERS\FRANCISCO\APPDATA\LOCAL\AVE.EXE 
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    0
    unfortunately i couldnt make bitdefender work (yeah i used IE but still it said it couldnt update the virus database or sumthn and didnt carry on the scan)

    andthe HJThis log here:

    PHP Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2
    :14:49 PMon 3/16/2010
    Platform
    Unknown Windows (WinNT 6.01.3504)
    MSIEInternet Explorer v8.00 (8.00.7600.16385)
    Boot modeNormal

    Running processes
    :
    C:\Windows\system32\taskhost.exe
    C
    :\Windows\system32\Dwm.exe
    C
    :\Windows\Explorer.EXE
    C
    :\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C
    :\Program Files\Alwil Software\Avast4\ashDisp.exe
    C
    :\Windows\System32\igfxtray.exe
    C
    :\Windows\System32\hkcmd.exe
    C
    :\Windows\System32\igfxpers.exe
    C
    :\Windows\system32\igfxsrvc.exe
    C
    :\Program Files\iTunes\iTunesHelper.exe
    C
    :\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C
    :\Program Files\Common Files\Java\Java Update\jusched.exe
    C
    :\Program Files\DAP\DAP.exe
    C
    :\Program Files\Skype\Phone\Skype.exe
    C
    :\Program Files\Pando Networks\Media Booster\PMB.exe
    C
    :\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C
    :\Program Files\DAEMON Tools Lite\DTLite.exe
    C
    :\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C
    :\Sun\SDK\jdk\bin\javaw.exe
    C
    :\Program Files\Skype\Plugin Manager\skypePM.exe
    C
    :\Program Files\Internet Explorer\iexplore.exe
    C
    :\Windows\system32\wuauclt.exe
    C
    :\Program Files\Mozilla Firefox\firefox.exe
    C
    :\Windows\system32\SearchFilterHost.exe
    C
    :\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ()=54896
    R0 
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ()
    R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ()=69157
    R1 
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ()=54896
    R1 
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ()=54896
    R0 
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ()=69157
    R0 
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant 
    R0 HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch 
    R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer 172.16.8.1:3128
    R0 
    HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName 
    O2 BHOAcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 
    BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 BHOWindows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 
    BHOJava(tmPlug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 
    BHODAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
    O4 
    HKLM\..\Run: [VirtualCloneDrive"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 
    HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    O4 HKLM\..\Run: [Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 HKLM\..\Run: [Adobe ARM"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 HKLM\..\Run: [IgfxTrayC:\Windows\system32\igfxtray.exe
    O4 
    HKLM\..\Run: [HotKeysCmdsC:\Windows\system32\hkcmd.exe
    O4 
    HKLM\..\Run: [PersistenceC:\Windows\system32\igfxpers.exe
    O4 
    HKLM\..\Run: [AdobeCS4ServiceManager"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 
    HKLM\..\Run: [QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 
    HKLM\..\Run: [iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe"
    O4 HKLM\..\Run: [BlackBerryAutoUpdateC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
    O4 
    HKLM\..\Run: [RoxWatchTray"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 HKLM\..\Run: [SunJavaUpdateSched"C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 
    HKCU\..\Run: [DownloadAccelerator"C:\Program Files\DAP\DAP.EXE" /STARTUP
    O4 
    HKCU\..\Run: [msnmsgr"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 
    HKCU\..\Run: [Skype"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 
    HKCU\..\Run: [Pando Media BoosterC:\Program Files\Pando Networks\Media Booster\PMB.exe
    O4 
    HKCU\..\Run: [ISUSPM"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 
    HKCU\..\Run: [DAEMON Tools Lite"C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 
    HKCU\..\Run: [SUPERAntiSpywareC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 
    HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVICIO LOCAL')
    O4 HKUS\S-1-5-19\..\RunOnce: [mctadminC:\Windows\System32\mctadmin.exe (User 'SERVICIO LOCAL')
    O4 HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'Servicio de red')
    O4 HKUS\S-1-5-20\..\RunOnce: [mctadminC:\Windows\System32\mctadmin.exe (User 'Servicio de red')
    O4 StartupSDK Tray Menu.lnk = ?
    O8 Extra context menu item: &Clean Traces C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 
    Extra context menu item: &Download with &DAP C:\Program Files\DAP\dapextie.htm
    O8 
    Extra context menu itemDownload &all with DAP C:\Program Files\DAP\dapextie2.htm
    O8 
    Extra context menu itemE&xportar a Microsoft Excel res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 Extra buttonBlog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 
    Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 
    Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 
    Extra 'Tools' menuitemUninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 
    Extra buttonResearch - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O13 
    Gopher Prefix
    O16 DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - ()
    O16 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - ()
    O18 Protocolskype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 
    Winlogon Notify: !SASWinLogon C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 
    ServiceApple Mobile Device Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 
    ServiceavastiAVS4 Control Service (aswUpdSv) - ALWIL Software C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 
    ServiceavastAntivirus ALWIL Software C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 
    ServiceavastMail Scanner ALWIL Software C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 
    ServiceavastWeb Scanner ALWIL Software C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 
    ServiceServicio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 
    ServiceFLEXnet Licensing Service Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 
    ServiceLogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 
    ServiceInstallDriver Table Manager (IDriverT) - Macrovision Corporation C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 
    ServiceServicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 
    ServiceMySQL Unknown owner C:\Program.exe (file missing)
    O23 ServiceOracleDBConsolebases Unknown owner C:\app\Francisco\product\11.1.0\db_1\bin\nmesrvc.exe (file missing)
    O23 ServiceOracleOraDb11g_home1TNSListener Unknown owner C:\app\Francisco\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing)
    O23 ServiceOracleServiceBASES Unknown owner c:\app\francisco\product\11.1.0\db_1\bin\ORACLE.EXE (file missing)
    O23 ServiceOracle BASES VSS Writer Service (OracleVssWriterBASES) - Unknown owner C:\app\Francisco\product\11.1.0\db_1\bin\OraVSSW.exe
    O23 
    ServiceRoxio UPnP Renderer 9 Sonic Solutions C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 
    ServiceRoxio Upnp Server 9 Sonic Solutions C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 
    ServiceLiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 
    ServiceRoxMediaDB9 Sonic Solutions C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 
    ServiceRoxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

    --
    End of file 9515 bytes 
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2010
    Location
    USA
    Posts
    15
    Rep Power
    0
    Hello,

    Are you not using any firewall ?
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    0
    actually i am, the windows firewall

IMN logo majestic logo threadwatch logo seochat tools logo