• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Techd

Checking logs for possible keylogger and other shenanigans

18 posts in this topic

Hello, some time ago I got one of my gaming accounts hacked. Someone logged on to it, changed the password on the game's site and then logged on to the game to stay idle for hours. So I've been told by logged on mates.

 

I've run the free fully updated versions of Ad-aware, Malwarebytes' Anti-malware and Spybot - Search & destroy and my paid, full version of norton antivirus' virus scan. Ad-aware noticed a few issues and fixed them. So did the other free programs, so I ran them again today and none of them could find any problems, except ad-aware, which detected 1 issue. Said it fixed it. I'm now running Hijackthis and posting the logs from the first anti-malware scan (which contained most threats) and HJT. The new antimalware log showed no problems in the log, but the previous infections might interest you, I thought.

 

I will now run ad-aware again and see if the infection remains. Will edit the result in. Here are my logs (If you want translations of the swedish information in the antimalware log, just tell me about what):

 

 

 

 

Malwarebytes' Anti-malware - First scan

 

Malwarebytes' Anti-Malware 1.41

Databasversion: 3222

Windows 5.1.2600 Service Pack 3

 

2009-11-24 20:11:40

mbam-log-2009-11-24 (20-11-40).txt

 

Skanningstyp: Fullständig skanning (C:\|D:\|E:\|F:\|H:\|I:\|J:\|K:\|)

Antal skannade objekt: 281212

Förfluten tid: 3 hour(s), 50 minute(s), 30 second(s)

 

Infekterade minnesprocesser: 0

Infekterade minnesmoduler: 0

Infekterade registernycklar: 12

Infekterade registervärden: 0

Infekterade registerdataposter: 2

Infekterade mappar: 0

Infekterade filer: 9

 

Infekterade minnesprocesser:

(Inga illasinnade poster hittades)

 

Infekterade minnesmoduler:

(Inga illasinnade poster hittades)

 

Infekterade registernycklar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ea24408-f8d0-4889-9d7e-6765ad73d8b8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1ea24408-f8d0-4889-9d7e-6765ad73d8b8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4b646afb-9341-4330-8fd1-c32485aee619} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a853e36-4a35-4dbf-9c03-ad9423798e35} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cd3447d4-ca39-4377-8084-30e86331d74c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winxtx32 (Trojan.Dialer) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

(Inga illasinnade poster hittades)

 

Infekterade registerdataposter:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Infekterade mappar:

(Inga illasinnade poster hittades)

 

Infekterade filer:

C:\WINDOWS\system32\ssttt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jkhfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jkklm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mlljj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pmnnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ssttu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vtsqr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vturq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winxtx32.dll (Trojan.Dialer) -> Quarantined and deleted successfully.

 

 

 

 

Hijackthis log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:46:35, on 2009-11-26

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Bredbandsbolaget Servicecenter Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program\Bredbandsbolaget\Servicecenter\IEFixItNowPlugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [postRBT] C:\Program\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [postRBT] C:\Program\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')

O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\sw.htm

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://snabbt.bredband.com/check/fscax.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program\Delade filer\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe

 

--

End of file - 8817 bytes

 

 

 

Edit: I also ran ATF cleaner before all the scans and deleted everything except "prefetch".

Edit 2: Ad-aware couldn't find any threats any more.

Edited by Techd

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Your computer may have been compromised by a malicious KeyLogger.

I strongly suggest you change all your Passwords.

 

If you do online banking or used credit cards, you should preferably have these account and password changed for your added protection.

 

Close all programs leaving only HijackThis running. Place a check against of the following if found, making sure you get them all and not any others by mistake:

 

O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete this file in bold if found.

C:\WINDOWS\system32\icpldrvx.exe

 

Restart the computer normally.

===

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Submit a fresh HijackThis log.

Share this post


Link to post
Share on other sites

I appreciate your help, mr. Nasdaq.

However, I won't be able to reach that computer in a week. Will follow your steps and repost when done, thanks again.

Share this post


Link to post
Share on other sites

My topics are closed 14 days after the last post.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

[Reopened]

 

 

Everyone else please begin a New Topic.

Edited by cnm

Share this post


Link to post
Share on other sites

Hi,

 

Please post a fresh HijackThis log. Let me know what problem persists.

Share this post


Link to post
Share on other sites

Okay, so I follow your instructions.

I found the icpldrvx.exe and removed it with HJT, restarted and scanned again. No icpldrvx now.

I didn't have a file named icpldrv, but I did find a suspect file named icsxml in system32.

Here's my new log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:01:24, on 2009-12-28

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program\Winamp Toolbar\winamptb.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL

O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Bredbandsbolaget Servicecenter Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program\Bredbandsbolaget\Servicecenter\IEFixItNowPlugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program\Winamp Toolbar\winamptb.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [postRBT] C:\Program\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [postRBT] C:\Program\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')

O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Winamp Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\sw.htm

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://snabbt.bredband.com/check/fscax.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program\Delade filer\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe

 

--

End of file - 8743 bytes

Share this post


Link to post
Share on other sites

Your log is clean.

 

Can you submit the results of the security Scan.

 

Let me know of any pending problems.

Share this post


Link to post
Share on other sites

Which security scan? My anti-virus' or malwarebytes' antimalware/spybot search & destroy/lavasoft's adaware?

Also, is the icsxml folder in system32 any malicious? I googled it and tons of people got it infected, as it seems.

 

Edit: My bank uses a device that creates unique passwords for each time you log on to or pay anything on your bank. Does anything need changing on my bank account? I need the device in my hand, as well as the website, to log on my bank, so I guess it's cool.

Edited by Techd

Share this post


Link to post
Share on other sites
My bank uses a device that creates unique passwords for each time you log on

I think you are safe here.

 

WOW accounts are being hacked from some vulnerability in some programs such as the Reader from Adobe and some Flash players.

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Share this post


Link to post
Share on other sites

I was hacked from typing in my account information in a site I thought was blizzard's, wasn't paying attention in the e-mail I got. Had 2 dots after the @ (xxx@support.blizzard.com or something) and linked to a keylogger site. Beware, all readers! Check your mails' senders!

 

Thank you very much, Nasdaq :).

How about the icsxml folder in my system32?

 

Here's my security check scan results:

 

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Norton Internet Security

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Spybot - Search & Destroy

HijackThis 2.0.2

Java 6 Update 13

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 9.1.2 - Svenska

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

`````````End of Log```````````

Share this post


Link to post
Share on other sites

Please download JavaRa

 

If you get this message:

Problems with the download? Please use this direct link or try another mirror.

 

Select the Direct link download unzip it to your Desktop.

 

Double click JavaRa.exe then click Remove Older Versions.

 

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

 

Next, open JavaRa.exe again, and select Search For Updates.

 

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Download this one JRE 6 Update 17.

 

In Vista and Windows 7 run the tool as Administrator.

 

ADOBE - Reader and Flash Players.

 

Visit Link to ADOBE

and download the latest version of Acrobat Reader.

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions

http://www.adobe.com/support/security/advisories/apsa09-07.html

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.

 

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:

1. Launch Acrobat or Adobe Reader.

2. Select Edit>Preferences

3. Select the JavaScript Category

4. Uncheck the 'Enable Acrobat JavaScript' option

5. Click OK

 

===

 

Security updates available for Adobe Flash Player.

http://www.adobe.com/support/security/bulletins/apsb09-19.html

 

Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...

Adobe Flash Player version 10.0.42.34

http://get.adobe.com/flashplayer/

 

p.s. If you do not want the Free McAfee Security Scan (optional) make sure you remove the mark in the check box.

Share this post


Link to post
Share on other sites

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Norton Internet Security

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Spybot - Search & Destroy

HijackThis 2.0.2

Java 6 Update 17

Adobe Flash Player 10

Adobe Reader 9.2 - Svenska

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

`````````End of Log```````````

 

Is our business complete?

Share this post


Link to post
Share on other sites

You are looking good.

 

Any remaining problems?

Share this post


Link to post
Share on other sites

Is icsxml in system32 anything to worry about? Otherwise, thank you very much. I've also fixed some problems with two registry scanners/fixers. Is there any way to mark thread as solved or give your cred for your work?

Share this post


Link to post
Share on other sites

icsxml is a folder for the XML files. Norton is not identifying any files in it as bad. So you should be good.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0