[Resolved] Probable Hijacking

Welcome! Register for a free account (or login) > How does it work?

Quickly register. It will only take 60 seconds.
Start a new topic. Ask your question. Wait for an email reply.
Is your system infected? Begin reading the malware removal guide.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

[Resolved] Probable Hijacking, strange goings on with the computer

Options

mickey7 View Member Profile	Jun 30 2009, 11:16 AM Post #1
Authentic Member Group: Authentic Member Posts: 83 Joined: 14-August 04 From: Pennsylvania Member No.: 12,467 Operating System: Windows XP Media Center Edition	Hello, I hope someone here can help. I have been going nuts since Sunday with this situation. I used my computer just fine on Saturday. When I booted it up on Sunday morning I received the following error message: ""Windows cannot find C:\Program Files\Creative\Shared Files\dstsvc.exe" I could not understand this and assumed something must not have shut down properly on Sat night. I was able to click through it and continue on my way. After going through some basics, checked email, ran adaware, malwarebytes and my antivirus and found nothing I again just thought it was something from previous shut down, since I could still go online etc and the scans found nothing. So I rebooted. Again I received the same error. I tried to defrag the computer would not let me defrag the main drive only the external one. It stated that it could not start defrag. I then tried to restore the computer to a previous date. There were no previous restore points. I have been creating several along the way recently so I knew there should be at least one there. It also would not let me create a new point. Also my drive names have changed. My external drive used to be listed as drive F: now it is called drive G: (No change in where the usb is plugged into the system. My cd drive is now called drive E: AND drive drive F: it is listed twice in my computer window. I placed a dvd in the drive and it is recognized in both drive names and does play if I go into media center for example and click on play dvd. It did not autorun. Another instance that gives me pause is when I googled the dstsvc error the first item listed is a dell forum by the url listed but when I clicked on it it took me to some other site totally unrelated and it did so again when trying to use the back button. I use Firefox as my primary browser and still maintain Internet Explorer. One other thing, not sure it is related, when watching shows on Hulu.com they tend to stutter in picture but not sound. The audio track poves along fine and sometime the pictures will sputter or stop then jump to catch up with the audio. I have a Dell Inspiron E1505 with XP and Media Center (TV tuner) installed. The computer is about 3 years old. I was hit with an autorun virus several months ago which you all helped me with and I did have a system crash about a month ago. In which I had to re-image my machine. Everything was going so well especially after I took the machine to basically factory settings. Now this. Attached is a hjt log. Please let me know what may be hidden in there as the clean scans are diveing me nuts because I know something is wrong. Thank you. Mickey7 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:50:49 PM, on 6/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\system32\java.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\VoiceCenter\AndreaVC.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\DOCUME~1\KATHRY~1\LOCALS~1\Temp\clclean.0001 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\PixArt\PAC7302\Monitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11670 bytes

Replies

ken545 View Member Profile	Jul 16 2009, 02:43 PM Post #2
Forum God Group: Classroom Teacher Posts: 11,302 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win 7 Ultimate Win Xp Home SP3	Hello Mickey, Just a warning about Combofix, this is a very powerful tool and should only be run under the supervision of a helper on the forums. What it cleans on one system it may damage another , we will be uninstalling it in a bit. This forum, myself and sUbs will not be responsible if you run it on your own. Run this free online virus scanner to make sure we got it all, and at that point I will link you to what programs to install to help keep you more secure. Please run this free online virus scanner from ESET Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic

Posts in this topic

mickey7 [Resolved] Probable Hijacking Jun 30 2009, 11:16 AM

ken545 Hello mickey7 Welcome to the Whatthetech Malware ... Jul 3 2009, 06:13 AM

mickey7 Thanks for the reply. The first process cleared a ... Jul 3 2009, 04:27 PM

ken545 Hello Mickey, C:\Program Files\Creativ... Jul 3 2009, 05:00 PM

mickey7 Ok will go to the other forum but fyi that dstsvc.... Jul 3 2009, 06:09 PM

ken545 It may be under Creative, but let it be and let th... Jul 3 2009, 07:47 PM

mickey7 Thank you for all your help. I have now posted th... Jul 4 2009, 09:15 AM

ken545 Your very welcome Mickey Ken Jul 4 2009, 05:30 PM

ken545 Since this issue appears to be resolved ... this T... Jul 14 2009, 05:31 AM

LDTate This topic has been reopened by request of the sta... Jul 14 2009, 07:12 PM

ken545 Hi, Lets run this program to make sure its not so... Jul 15 2009, 02:24 AM

mickey7 Whatever happened I think it finally corrected the... Jul 15 2009, 06:29 PM

ken545 Don't attach them Mickey, just copy and paste ... Jul 15 2009, 07:35 PM

mickey7 Ok COMBOFIX First: ComboFix 09-07-14.08 - Kathryn... Jul 15 2009, 07:46 PM

mickey7 HJT Next: Logfile of Trend Micro HijackThis v2.0.... Jul 15 2009, 07:47 PM

ken545 Hello Mickey, You had a rootkit infection that hi... Jul 16 2009, 04:49 AM

mickey7 As of last night, pretty well. Occasionally my ne... Jul 16 2009, 01:22 PM

ken545 Hello Mickey, Just a warning about Combofix, this... Jul 16 2009, 02:43 PM

mickey7 OK here is the log ESETSmartInstaller@High as CAB... Jul 16 2009, 06:11 PM

ken545 Great, looks like your in good shape Here is t... Jul 16 2009, 06:38 PM

mickey7 Ok my JAVA seems to already be updated In the abou... Jul 16 2009, 07:06 PM

ken545 Have been using Firefox my self for years and only... Jul 16 2009, 07:24 PM

mickey7 one last question if you don't mind..... There... Jul 16 2009, 07:43 PM

ken545 A Rootkit is very devious, it hides from the opera... Jul 17 2009, 03:15 AM

mickey7 No no Ken. I didn't mean to alarm you. While... Jul 17 2009, 09:23 AM

ken545 Mickey, Everything AVG found where cookies and th... Jul 17 2009, 05:53 PM

mickey7 I do do those things except the firewall but I wil... Jul 17 2009, 06:07 PM

ken545 All your start pages on your HJT log are legit, tr... Jul 17 2009, 06:44 PM

mickey7 That posting I put in the prior post was the log f... Jul 17 2009, 06:47 PM

ken545 http://forums.avg.com/ Why don't you post in ... Jul 17 2009, 06:58 PM

mickey7 Ok then Ken, I guess we are done here then. Thank... Jul 17 2009, 07:11 PM

ken545 Your welcome Mickey Jul 18 2009, 04:11 AM

« Next Oldest · Infections Removal · Next Newest »

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal [Resolved] Something big.	5	ajones	105	Today, 02:10 AM Last post by: oldman960
Infections Removal [Resolved] Infected with something	11	pacificjade	127	Yesterday, 05:00 PM Last post by: LDTate
Infections Removal [Resolved] Pesky Virus - Need help to be sure it is removed	7	3streamMusic	166	Yesterday, 02:39 PM Last post by: LDTate
Infections Removal [Resolved] It's Baaaaaack!	14	ShawBuck	167	Yesterday, 10:50 AM Last post by: CatByte