• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LordBaldric

Hacked

10 posts in this topic

My World of Warcraft was hacked into the other night. I'm concerned about keylogging, but malware searches by various programs have come up blank. I'd appreciate any help you could give.

 

HiJackThis Log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 8:32:09 PM, on 5/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Jason Elander\Desktop\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zmag.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061223

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167635733705

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175711261953

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://support.seagate.com/support/disc/as.../npseatools.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 9533 bytes

Share this post


Link to post
Share on other sites

And here's the ComboFix Log:

 

"Jason Elander" - 2007-05-28 20:20:02 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Jason Elander\Desktop\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))

 

 

2007-05-28 18:26 <DIR> d-------- C:\DOCUME~1\JASONE~1\APPLIC~1\Lavasoft

2007-05-28 15:50 0 --a------ C:\WINDOWS\system32\SBRC.dat

2007-05-28 15:50 0 --a------ C:\WINDOWS\system32\SBFC.dat

2007-05-27 21:31 <DIR> d-------- C:\WINDOWS\pss

2007-05-26 20:08 <DIR> d-------- C:\Program Files\World of Warcraft

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-28 23:54:16 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-05-28 17:29:16 12,161 ----a-w C:\WINDOWS\system32\nvModes.dat

2007-05-27 01:08:31 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 07:14:51 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-17 07:04:07 -------- d-----w C:\DOCUME~1\JASONE~1\APPLIC~1\Nikon

2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-16 05:20:45 -------- d-----w C:\Program Files\Strategy First

2007-04-06 16:36:25 -------- d-----w C:\Program Files\Windows Defender

2007-04-06 08:23:26 -------- d-----w C:\DOCUME~1\JASONE~1\APPLIC~1\Viewpoint

2007-04-03 18:49:31 -------- d-----w C:\DOCUME~1\JASONE~1\APPLIC~1\DivX

2007-03-20 03:58:21 541,364 ----a-w C:\WINDOWS\Historical Stony Road Uninstaller.exe

2007-03-18 22:22:53 1,144,756 ----a-w C:\WINDOWS\C.O.R.E. Uninstaller.exe

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06 02:05]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-12-23 17:36]

{CA6319C0-31B7-401E-A518-A07C3DB8F777}=C:\Program Files\BAE\BAE.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 06:03]

"nwiz"="nwiz.exe" [2006-03-21 06:03 C:\WINDOWS\system32\nwiz.exe]

"NVHotkey"="nvHotkey.dll" [2006-03-21 06:03 C:\WINDOWS\system32\nvhotkey.dll]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]

"SigmatelSysTrayApp"="stsystra.exe" []

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 19:51]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]

"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 05:00]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 22:21]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]

"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]

"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [2006-11-30 16:03]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command- E:\setup.exe

 

*Newly Created Service* -PROCEXP90

 

Contents of the 'Scheduled Tasks' folder

2007-05-28 21:40:47 C:\WINDOWS\tasks\MP Scheduled Scan.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-28 20:21:28

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-28 20:21:50

 

--- E O F ---

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

No suspicious keylogger found on your log.

 

Disable Microsoft Windows Defender:

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

 

Restart the computer normally to reset the registry.

 

Enable Microsoft Windows Defender.

 

Let's check further.

 

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols3.shtml

 

  • [*]Click the Online Virus Scanner link. (Bottom of the page)

[*]When prompted, choose to install the software.

[*]After the software has installed, click Accept.

[*]Click Custom Scan and check the option for Scan inside archives, then click Start.

[*]The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete.

[*]If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended).

[*]After cleaning has finished, then the Finish screen will be displayed. Choose Show Report.

[*]In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that information into this thread, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

F-Secure Report:

 

Scanning Report

Sunday, June 03, 2007 12:34:01 - 13:55:25

 

Computer name: THE-GENERAL

Scanning type: Scan system for viruses, rootkits, spyware

Target: C:\

Result: 3 malware found

Tracking Cookie (spyware)

 

* System (Disinfected)

* System

* System

 

Statistics

Scanned:

 

* Files: 137228

* System: 4286

* Not scanned: 16

 

Actions:

 

* Disinfected: 1

* Renamed: 0

* Deleted: 0

* None: 2

* Submitted: 0

 

Files not scanned:

 

* C:\HIBERFIL.SYS

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\DOCUMENTS AND SETTINGS\JASON ELANDER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{B2063721-9925-4967-BA41-CDBB815550C3}

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent10.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip\4.1.1/actorobject.dll

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip\wt.ini

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip\DRM/3.2.0.19/files/controlpanel/index.html

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip\data.wts

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent6.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent7.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip\sbRecovery.reg

* C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent9.zip\sbRecovery.reg

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_24ADF822-76F7-4481-B30B-FF1B40F8687F

 

Options

Scanning engines:

 

* F-Secure Libra: 2.4.2, 2007-06-02

* F-Secure AVP: 7.0.171, 2007-06-03

* F-Secure Orion: 1.2.37, 2007-06-03

* F-Secure Blacklight: 1.0.53

* F-Secure Draco: 1.0.35, 0260-23-12

* F-Secure Pegasus: 1.19.0, 2007-04-27

 

Scanning options:

 

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX

* Scan inside archives

* Use Advanced heuristics

 

Copyright © 1998-2006 Product support |Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Share this post


Link to post
Share on other sites

New Hijackthis log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:05:02 PM, on 6/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Jason Elander\Desktop\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zmag.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061223

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167635733705

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175711261953

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://support.seagate.com/support/disc/as.../npseatools.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 9428 bytes

Share this post


Link to post
Share on other sites

Your log is clean.

 

How is the computer running?

Share this post


Link to post
Share on other sites

My computer is running just fine. I'm trying to figure out how my account was hacked without some kind of keylogger being present. Maybe the person had my e-mail address and password, as I had reset my account password the previous night and the new password was e-mailed to me. Hmm. Well, I've changed up my passwords as a precaution. Hopefully everything will be ok.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0