1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I think I'm being hacked

Discussion in 'Virus & Other Malware Removal' started by Kenneedshelp, Apr 11, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    My reason for thinking I'm being hacked is I've been having problem with an e stalker this person managed to send out a copy of an instant message conversation I had, so he either hacked me or the other persons pc!! I have done a netstat and found a few not sure abouts, one is wy-in-f154, on looking this up some say it malware/rootkit?????? Below is the results from a netstat. Can someone please help??? I've tried a few anti rootkits but some won't work with Vista 64.

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.
    C:\Users\Ken>netstat
    Active Connections
    Proto Local Address Foreign Address State
    TCP 192.168.1.2:49168 a88-221-88-51:http CLOSE_WAIT
    TCP 192.168.1.2:49169 a88-221-88-51:http CLOSE_WAIT
    TCP 192.168.1.2:49289 213.199.164.110:http ESTABLISHED
    TCP 192.168.1.2:49291 65.55.149.121:http ESTABLISHED
    TCP 192.168.1.2:49292 84.53.134.18:http ESTABLISHED
    TCP 192.168.1.2:49293 213.199.141.139:http ESTABLISHED
    TCP 192.168.1.2:49294 213.199.141.140:http ESTABLISHED
    TCP 192.168.1.2:49296 213.199.141.140:http ESTABLISHED
    TCP 192.168.1.2:49298 ww-in-f149:http ESTABLISHED
    TCP 192.168.1.2:49302 ww-in-f149:http ESTABLISHED
    TCP 192.168.1.2:49305 84.53.134.16:http ESTABLISHED
    TCP 192.168.1.2:49309 gv-in-f105:http ESTABLISHED
    TCP 192.168.1.2:49310 wy-in-f101:http ESTABLISHED
    TCP 192.168.1.2:49311 ww-in-f101:http ESTABLISHED
    TCP 192.168.1.2:49312 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49313 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49314 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49315 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49316 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49317 72.52.248.159:http ESTABLISHED
    TCP 192.168.1.2:49319 ww-in-f156:http ESTABLISHED
    TCP 192.168.1.2:49320 ww-in-f165:http ESTABLISHED
    TCP 192.168.1.2:49321 ww-in-f156:http ESTABLISHED
    TCP 192.168.1.2:49323 cdce:http ESTABLISHED
    TCP 192.168.1.2:49324 host:http ESTABLISHED
    TCP 192.168.1.2:49326 mojofarm:http ESTABLISHED
    TCP 192.168.1.2:49327 ww-in-f102:http ESTABLISHED
    TCP 192.168.1.2:49328 img:http ESTABLISHED
    TCP 192.168.1.2:49329 ww-in-f102:http ESTABLISHED
    TCP 192.168.1.2:49331 img:http ESTABLISHED
    TCP 192.168.1.2:49332 84.53.134.117:http ESTABLISHED
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,860
    First Name:
    Karen
    Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under Attachments, or you can get it from one of the mirrors).

    http://sites.google.com/site/sysprotantirootkit/

    Unzip it into a folder on your desktop.

    Start the Sysprot.exe program.

    • Click on the Log tab.
    • In the Write to log box select all items.
    • Click on the Create Log button on the bottom right.
    • After a few seconds a new Window should appear.
    • Make sure Scan all drives is selected and click on the Start button.
    • When it is complete a new Window will appear to indicate that the scan is finished.
    • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
     
  3. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    Hi thank you for the reply, seemingly this program does not work with a 64 bit system?
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,860
    First Name:
    Karen
    Sorry, I thought it did.

    Since you seem to know how to run netstat commands, can you run this command and post those results please?

    netstat -o
     
  5. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    Cookiegal,

    just tried to run sysprot again after clicking the create log I get an error "failed to startstart service. sysprot need to be run with admin privileges!" I did right click selecting run as administrator!

    Your requested netstat -o result:
    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.
    C:\Users\Ken>netstat -o
    Active Connections
    Proto Local Address Foreign Address State PID
    TCP 127.0.0.1:49375 Ken-PC:49376 ESTABLISHED 3708
    TCP 127.0.0.1:49376 Ken-PC:49375 ESTABLISHED 3708
    TCP 192.168.1.2:2869 192.168.1.1:3210 ESTABLISHED 4
    TCP 192.168.1.2:49166 a88-221-88-57:http CLOSE_WAIT 4092
    TCP 192.168.1.2:49167 a88-221-88-57:http CLOSE_WAIT 4092
    TCP 192.168.1.2:49176 spike9246:http CLOSE_WAIT 2856
    TCP 192.168.1.2:49372 by2msg4010611:msnp ESTABLISHED 3708
    TCP 192.168.1.2:49497 81.23.243.145:http ESTABLISHED 6104
    TCP 192.168.1.2:49498 65.55.149.123:http ESTABLISHED 6104
    TCP 192.168.1.2:49499 213.199.141.140:http ESTABLISHED 6104
    TCP 192.168.1.2:49500 213.199.141.139:http ESTABLISHED 6104
    TCP 192.168.1.2:49502 ww-in-f148:http ESTABLISHED 6104
    TCP 192.168.1.2:49503 ww-in-f148:http ESTABLISHED 6104
    TCP 192.168.1.2:49504 213.199.141.139:http ESTABLISHED 6104
    C:\Users\Ken>
     
  6. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    Cookiegal,
    Managed to get the sysprot to run, please see log below:
    SysProt AntiRootkit v1.0.1.0
    by swatkat
    ******************************************************************************************
    ******************************************************************************************
    No Processes found
    ******************************************************************************************
    ******************************************************************************************
    No Kernel Modules found
    ******************************************************************************************
    ******************************************************************************************
    No SSDT Hooks found
    ******************************************************************************************
    ******************************************************************************************
    No Kernel Hooks found
    ******************************************************************************************
    ******************************************************************************************
    No IRP Hooks found
    ******************************************************************************************
    ******************************************************************************************
    Ports:
    Local Address: KEN-PC:49517
    Remote Address: LB2.COLLECTIVE-MEDIA.NET:HTTP
    Type: TCP
    Process: 0 (PID)
    State: TIME_WAIT
    Local Address: KEN-PC:49372
    Remote Address: BY2MSG4010611.PHX.GBL:MSNP
    Type: TCP
    Process: 3708 (PID)
    State: ESTABLISHED
    Local Address: KEN-PC:49176
    Remote Address: SPIKE9246.MALWAREBYTES.ORG:HTTP
    Type: TCP
    Process: 2856 (PID)
    State: CLOSE_WAIT
    Local Address: KEN-PC:49167
    Remote Address: A88-221-88-57.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
    Type: TCP
    Process: 4092 (PID)
    State: CLOSE_WAIT
    Local Address: KEN-PC:49166
    Remote Address: A88-221-88-57.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
    Type: TCP
    Process: 4092 (PID)
    State: CLOSE_WAIT
    Local Address: KEN-PC:ICSLAP
    Remote Address: 192.168.1.1:3210
    Type: TCP
    Process: 4 (PID)
    State: ESTABLISHED
    Local Address: KEN-PC:NETBIOS-SSN
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4 (PID)
    State: LISTENING
    Local Address: KEN-PC:49376
    Remote Address: LOCALHOST:49375
    Type: TCP
    Process: 3708 (PID)
    State: ESTABLISHED
    Local Address: KEN-PC:49375
    Remote Address: LOCALHOST:49376
    Type: TCP
    Process: 3708 (PID)
    State: ESTABLISHED
    Local Address: KEN-PC:49375
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 3708 (PID)
    State: LISTENING
    Local Address: KEN-PC:49158
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 488 (PID)
    State: LISTENING
    Local Address: KEN-PC:49156
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 504 (PID)
    State: LISTENING
    Local Address: KEN-PC:49155
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 1676 (PID)
    State: LISTENING
    Local Address: KEN-PC:49154
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 1556 (PID)
    State: LISTENING
    Local Address: KEN-PC:49153
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 1516 (PID)
    State: LISTENING
    Local Address: KEN-PC:49152
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 960 (PID)
    State: LISTENING
    Local Address: KEN-PC:10243
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4 (PID)
    State: LISTENING
    Local Address: KEN-PC:5357
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4 (PID)
    State: LISTENING
    Local Address: KEN-PC:ICSLAP
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4 (PID)
    State: LISTENING
    Local Address: KEN-PC:RTSP
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4536 (PID)
    State: LISTENING
    Local Address: KEN-PC:MICROSOFT-DS
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 4 (PID)
    State: LISTENING
    Local Address: KEN-PC:EPMAP
    Remote Address: 0.0.0.0:0
    Type: TCP
    Process: 1424 (PID)
    State: LISTENING
    Local Address: KEN-PC:59830
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:SSDP
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:138
    Remote Address: NA
    Type: UDP
    Process: 4 (PID)
    State: NA
    Local Address: KEN-PC:NETBIOS-NS
    Remote Address: NA
    Type: UDP
    Process: 4 (PID)
    State: NA
    Local Address: KEN-PC:DISCARD
    Remote Address: NA
    Type: UDP
    Process: 3708 (PID)
    State: NA
    Local Address: KEN-PC:62143
    Remote Address: NA
    Type: UDP
    Process: 3484 (PID)
    State: NA
    Local Address: KEN-PC:60821
    Remote Address: NA
    Type: UDP
    Process: 3672 (PID)
    State: NA
    Local Address: KEN-PC:59831
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:55951
    Remote Address: NA
    Type: UDP
    Process: 1556 (PID)
    State: NA
    Local Address: KEN-PC:55200
    Remote Address: NA
    Type: UDP
    Process: 5544 (PID)
    State: NA
    Local Address: KEN-PC:53435
    Remote Address: NA
    Type: UDP
    Process: 6104 (PID)
    State: NA
    Local Address: KEN-PC:51930
    Remote Address: NA
    Type: UDP
    Process: 3708 (PID)
    State: NA
    Local Address: KEN-PC:49475
    Remote Address: NA
    Type: UDP
    Process: 3804 (PID)
    State: NA
    Local Address: KEN-PC:49286
    Remote Address: NA
    Type: UDP
    Process: 3708 (PID)
    State: NA
    Local Address: KEN-PC:SSDP
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:54207
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:LLMNR
    Remote Address: NA
    Type: UDP
    Process: 1924 (PID)
    State: NA
    Local Address: KEN-PC:5005
    Remote Address: NA
    Type: UDP
    Process: 4536 (PID)
    State: NA
    Local Address: KEN-PC:5004
    Remote Address: NA
    Type: UDP
    Process: 4536 (PID)
    State: NA
    Local Address: KEN-PC:IPSEC-MSFT
    Remote Address: NA
    Type: UDP
    Process: 1556 (PID)
    State: NA
    Local Address: KEN-PC:UPNP-DISCOVERY
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:UPNP-DISCOVERY
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    Local Address: KEN-PC:664
    Remote Address: NA
    Type: UDP
    Process: 3352 (PID)
    State: NA
    Local Address: KEN-PC:623
    Remote Address: NA
    Type: UDP
    Process: 3352 (PID)
    State: NA
    Local Address: KEN-PC:500
    Remote Address: NA
    Type: UDP
    Process: 1556 (PID)
    State: NA
    Local Address: KEN-PC:123
    Remote Address: NA
    Type: UDP
    Process: 1752 (PID)
    State: NA
    ******************************************************************************************
    ******************************************************************************************
    No hidden files/folders found
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,860
    First Name:
    Karen
    Please do the following command:

    netstat -an

    And post that log and also do the following please:

    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  8. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    netstat -an

    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.
    C:\Users\Ken>netstat -an
    Active Connections
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:554 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:49375 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:49375 127.0.0.1:49376 ESTABLISHED
    TCP 127.0.0.1:49376 127.0.0.1:49375 ESTABLISHED
    TCP 192.168.1.2:139 0.0.0.0:0 LISTENING
    TCP 192.168.1.2:2869 192.168.1.1:3210 ESTABLISHED
    TCP 192.168.1.2:49166 88.221.88.57:80 CLOSE_WAIT
    TCP 192.168.1.2:49167 88.221.88.57:80 CLOSE_WAIT
    TCP 192.168.1.2:49372 207.46.124.58:1863 ESTABLISHED
    TCP 192.168.1.2:50022 94.127.75.60:80 CLOSE_WAIT
    TCP 192.168.1.2:50231 216.239.59.103:80 CLOSE_WAIT
    TCP [::]:135 [::]:0 LISTENING
    TCP [::]:445 [::]:0 LISTENING
    TCP [::]:554 [::]:0 LISTENING
    TCP [::]:2869 [::]:0 LISTENING
    TCP [::]:5357 [::]:0 LISTENING
    TCP [::]:10243 [::]:0 LISTENING
    TCP [::]:49152 [::]:0 LISTENING
    TCP [::]:49153 [::]:0 LISTENING
    TCP [::]:49154 [::]:0 LISTENING
    TCP [::]:49155 [::]:0 LISTENING
    TCP [::]:49156 [::]:0 LISTENING
    TCP [::]:49158 [::]:0 LISTENING
    UDP 0.0.0.0:123 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:623 *:*
    UDP 0.0.0.0:664 *:*
    UDP 0.0.0.0:3702 *:*
    UDP 0.0.0.0:3702 *:*
    UDP 0.0.0.0:4500 *:*
    UDP 0.0.0.0:5004 *:*
    UDP 0.0.0.0:5005 *:*
    UDP 0.0.0.0:5355 *:*
    UDP 0.0.0.0:54207 *:*
    UDP 127.0.0.1:1900 *:*
    UDP 127.0.0.1:49286 *:*
    UDP 127.0.0.1:49475 *:*
    UDP 127.0.0.1:51930 *:*
    UDP 127.0.0.1:52939 *:*
    UDP 127.0.0.1:53435 *:*
    UDP 127.0.0.1:55200 *:*
    UDP 127.0.0.1:55951 *:*
    UDP 127.0.0.1:55972 *:*
    UDP 127.0.0.1:57184 *:*
    UDP 127.0.0.1:59831 *:*
    UDP 127.0.0.1:60821 *:*
    UDP 127.0.0.1:62143 *:*
    UDP 192.168.1.2:9 *:*
    UDP 192.168.1.2:137 *:*
    UDP 192.168.1.2:138 *:*
    UDP 192.168.1.2:1900 *:*
    UDP 192.168.1.2:59830 *:*
    UDP [::]:123 *:*
    UDP [::]:500 *:*
    UDP [::]:3702 *:*
    UDP [::]:3702 *:*
    UDP [::]:5004 *:*
    UDP [::]:5005 *:*
    UDP [::]:5355 *:*
    UDP [::]:54208 *:*
    UDP [::1]:1900 *:*
    UDP [::1]:59828 *:*
    UDP [fe80::43b:3e3b:3f57:fefd%11]:1900 *:*
    UDP [fe80::43b:3e3b:3f57:fefd%11]:59829 *:*
    UDP [fe80::7db9:42ad:3a40:b632%10]:546 *:*
    UDP [fe80::7db9:42ad:3a40:b632%10]:1900 *:*
    UDP [fe80::7db9:42ad:3a40:b632%10]:59827 *:*
    UDP [fe80::e5e1:d122:2be7:e442%13]:1900 *:*
    UDP [fe80::e5e1:d122:2be7:e442%13]:59826 *:*
    C:\Users\Ken>

    HJT in a min
     
  9. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    HJT log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:07:33, on 11/04/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal
    Running processes:
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Windows\vsnp2std.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
    C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Windows\FixCamera.exe
    C:\Windows\tsnp2std.exe
    C:\Program Files (x86)\AVG\AVG9\avgtray.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\program files (x86)\avira\antivir desktop\avcenter.exe
    C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [HDAudDeck] "C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" -r
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Corel\Corel MediaOne\Corel PhotoDownloader.exe" -startup
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe
    O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /nosplash
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O13 - Gopher Prefix:
    O15 - Trusted Zone: http://chat0.swingingheaven.co.uk
    O15 - Trusted Zone: http://www.swingingheaven.co.uk
    O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader57.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
    O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 12822 bytes
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,860
    First Name:
    Karen
    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
     
  11. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    As requested malwarebyte quick scan results:

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org
    Database version: 3930
    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18904
    12/04/2010 11:12:52
    mbam-log-2010-04-12 (11-12-52).txt
    Scan type: Quick scan
    Objects scanned: 107695
    Time elapsed: 4 minute(s), 54 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)
     
  12. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    Cookiegall, I have kept the HJT open since sending you results, is it ok to close it down now?
     
  13. Kenneedshelp

    Kenneedshelp Thread Starter

    Joined:
    Apr 11, 2010
    Messages:
    20
    Cookiegal,

    I know you are busy people but how is things going?

    Regards

    Ken
     
  14. TerryNet

    TerryNet Moderator

    Joined:
    Mar 23, 2005
    Messages:
    79,872
    First Name:
    Terry
    From first post:: "gv-in-f105" This site says that "Redirects to Exploit kit." Is that meaningful?
     
  15. TerryNet

    TerryNet Moderator

    Joined:
    Mar 23, 2005
    Messages:
    79,872
    First Name:
    Terry
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/916148

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice