View Full Version : Keylogger Changing all my passwords
flamingsnoman
2009-05-28, 07:46
Hello, I have an issue with a keylogger that has been taking my passwords and changing them, barring my access to personal accounts. The first case was to my World of Warcraft account for which I contacted the company to inform them of such unauthorized access. However, today they have logged and changed the password to my hotmail e-mail account. I am concerned that this will go even further to my bank accounts and school websites. I have run Spybot, Malwarebytes, and Kapersky's online virus scan, all of which came back with no infections at all. I have backed up my registry with ERUNT as the stickied post dictates. Thank you in advance for assisting me with this matter. An HJT log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:48 PM, on 5/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Direct Link\AsShare.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [Launch Direct Link] "C:\Program Files\ASUS\AI Direct Link\AsShare.exe"
O4 - HKLM\..\Run: [Launch As Cmd Runner] "C:\Program Files\ASUS\AI Direct Link\AsCmd.exe" -reg
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223367418911
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223367453385
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://frontier.webex.com/client/T26L/support/ieatgpc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Update Service (gupdate1c9d6be10aa11e2) (gupdate1c9d6be10aa11e2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8805 bytes
shelf life
2009-05-30, 00:29
hi flamingsnoman
Lets see if DDs can dig up anything:
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
[list] Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Save both reports
to your desktop. Copy/paste both logs in your reply.
flamingsnoman
2009-05-30, 00:51
The program wanted me to zip and attach the second log, but I followed your instructions intead and copy pasted both. I hope this was correct. Thank you in advance for your assistance!
DDS (Ver_09-05-14.01) - NTFSx86
Run by Wilson at 14:43:28.98 on Fri 05/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2368 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Direct Link\AsShare.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\Wilson\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
uURLSearchHooks: N/A: {38e77f06-89fc-44f5-b3ab-11ddeb791947} - c:\program files\frontiersh\srchhelp\frSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {38e77f01-89fc-44f5-b3ab-11ddeb791947} - c:\program files\frontiersh\srchhelp\frSrcAs.dll
BHO: FrontierBA BHO: {a93a3cc1-ba23-4d0d-9440-6a0148362b7e} - c:\program files\frontierba\browserassistant\fbabar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Frontier Browser Assistant: {a93a3cc9-ba23-4d0d-9440-6a0148362b7e} - c:\program files\frontierba\browserassistant\fbabar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Six Engine] "c:\program files\asus\epu-6 engine\SixEngine.exe" -r
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [Launch Direct Link] "c:\program files\asus\ai direct link\AsShare.exe"
mRun: [Launch As Cmd Runner] "c:\program files\asus\ai direct link\AsCmd.exe" -reg
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
StartupFolder: c:\docume~1\wilson\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\wilson\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223367418911
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223367453385
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://frontier.webex.com/client/T26L/support/ieatgpc.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\wilson\applic~1\mozilla\firefox\profiles\nlxcxbij.default\
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
============= SERVICES / DRIVERS ===============
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-7 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-10-7 36864]
S2 gupdate1c9d6be10aa11e2;Google Update Service (gupdate1c9d6be10aa11e2);c:\program files\google\update\GoogleUpdate.exe [2009-5-17 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-10-7 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-12 38496]
=============== Created Last 30 ================
2009-05-28 18:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-05-28 18:41 <DIR> --d----- c:\program files\Security Task Manager
2009-05-27 22:29 <DIR> --dsh--- c:\documents and settings\wilson\IETldCache
2009-05-27 22:27 <DIR> --d----- c:\windows\ie8updates
2009-05-27 22:27 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-27 22:25 <DIR> -cd-h--- c:\windows\ie8
2009-05-25 01:27 <DIR> --ds---- C:\ComboFix
2009-05-22 21:24 177,698 ac------ c:\windows\system32\dllcache\c_20949.nls
==================== Find3M ====================
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 05:15 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-03-24 05:15 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-03-22 23:00 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2008-10-15 21:04 1,499,136 a------- c:\program files\CPU-Z.exe
2008-09-21 03:03 410,416 a------- c:\program files\GPU-Z.0.2.7.exe
2006-06-23 23:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2004-06-17 23:41 386,688 a------- c:\windows\inf\wg311v2\netwg311_XP.sys
2004-04-04 13:07 84,912 a------- c:\windows\inf\wg311v2\FwRad17.bin
2004-04-04 13:07 83,320 a------- c:\windows\inf\wg311v2\FwRad16.bin
============= FINISH: 14:43:43.39 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/7/2008 1:12:39 AM
System Uptime: 5/27/2009 10:55:20 PM (40 hours ago)
Motherboard: ASUSTeK Computer INC. | | P5Q-PRO
Processor: Intel Pentium III Xeon processor | LGA 775 | 3293/368mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 596 GiB total, 403.356 GiB free.
D: is CDROM ()
F: is CDROM (CDFS)
==== Disabled Device Manager Items =============
Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_104382FE&REV_1001\4&22BA60&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_104382FE&REV_1001\4&22BA60&0&0001
Service:
==== System Restore Points ===================
RP155: 3/2/2009 2:12:09 AM - System Checkpoint
RP156: 3/3/2009 4:08:32 AM - System Checkpoint
RP157: 3/4/2009 5:33:36 AM - System Checkpoint
RP158: 3/5/2009 5:37:47 AM - System Checkpoint
RP159: 3/6/2009 6:10:49 AM - System Checkpoint
RP160: 3/6/2009 3:10:20 PM - Removed Java(TM) 6 Update 10
RP161: 3/6/2009 3:10:41 PM - Installed Java(TM) 6 Update 12
RP162: 3/7/2009 7:29:12 PM - System Checkpoint
RP163: 3/9/2009 6:51:58 AM - System Checkpoint
RP164: 3/10/2009 7:37:43 AM - System Checkpoint
RP165: 3/11/2009 2:00:13 AM - Software Distribution Service 3.0
RP166: 3/12/2009 2:45:18 AM - System Checkpoint
RP167: 3/13/2009 5:17:15 AM - System Checkpoint
RP168: 3/14/2009 6:35:16 AM - System Checkpoint
RP169: 3/14/2009 10:09:32 PM - Software Distribution Service 3.0
RP170: 3/16/2009 3:03:36 AM - System Checkpoint
RP171: 3/17/2009 3:24:19 AM - System Checkpoint
RP172: 3/18/2009 4:20:12 AM - System Checkpoint
RP173: 3/19/2009 5:51:17 AM - System Checkpoint
RP174: 3/20/2009 6:13:57 AM - System Checkpoint
RP175: 3/21/2009 7:32:36 AM - System Checkpoint
RP176: 3/22/2009 8:52:54 AM - System Checkpoint
RP177: 3/22/2009 9:34:36 PM - Installed NETGEAR WG311v2 802.11g Wireless PCI Adapter
RP178: 3/22/2009 10:05:22 PM - Configured NETGEAR WG311v2 802.11g Wireless PCI Adapter
RP179: 3/22/2009 10:06:07 PM - Removed Console Launcher
RP180: 3/22/2009 10:06:25 PM - Removed Creative Audio Control Panel
RP181: 3/22/2009 10:16:21 PM - Installed Creative Audio Control Panel
RP182: 3/22/2009 10:57:35 PM - Installed NETGEAR WG311v3 PCI Adapter
RP183: 3/24/2009 2:01:51 AM - Configured NETGEAR WG311v3 PCI Adapter
RP184: 3/24/2009 2:37:44 AM - Installed Creative Audio Control Panel
RP185: 3/24/2009 5:09:30 AM - Removed Dead Space™
RP186: 3/24/2009 5:14:18 AM - Installed Creative Audio Control Panel
RP187: 3/25/2009 5:32:54 AM - System Checkpoint
RP188: 3/26/2009 6:45:24 AM - System Checkpoint
RP189: 3/27/2009 6:56:54 AM - System Checkpoint
RP190: 3/28/2009 7:08:54 AM - System Checkpoint
RP191: 3/29/2009 6:20:58 PM - System Checkpoint
RP192: 3/31/2009 4:46:18 AM - System Checkpoint
RP193: 4/1/2009 3:16:53 AM - Installed Java(TM) 6 Update 13
RP194: 4/2/2009 3:25:46 AM - System Checkpoint
RP195: 4/3/2009 4:53:04 AM - System Checkpoint
RP196: 4/4/2009 7:15:47 AM - System Checkpoint
RP197: 4/5/2009 8:06:12 AM - System Checkpoint
RP198: 4/6/2009 9:06:12 AM - System Checkpoint
RP199: 4/7/2009 10:07:16 AM - System Checkpoint
RP200: 4/8/2009 10:48:54 AM - System Checkpoint
RP201: 4/9/2009 8:46:59 PM - System Checkpoint
RP202: 4/11/2009 8:56:13 AM - System Checkpoint
RP203: 4/12/2009 9:43:02 AM - System Checkpoint
RP204: 4/13/2009 10:43:02 AM - System Checkpoint
RP205: 4/14/2009 4:25:00 PM - System Checkpoint
RP206: 4/15/2009 5:14:26 PM - System Checkpoint
RP207: 4/16/2009 7:38:50 PM - System Checkpoint
RP208: 4/17/2009 3:00:14 AM - Software Distribution Service 3.0
RP209: 4/18/2009 5:36:06 AM - System Checkpoint
RP210: 4/19/2009 11:30:19 AM - System Checkpoint
RP211: 4/20/2009 12:14:06 PM - System Checkpoint
RP212: 4/21/2009 1:07:05 PM - System Checkpoint
RP213: 4/22/2009 5:10:23 PM - System Checkpoint
RP214: 4/24/2009 3:29:05 AM - System Checkpoint
RP215: 4/26/2009 5:16:34 AM - System Checkpoint
RP216: 4/27/2009 5:24:14 AM - System Checkpoint
RP217: 4/28/2009 6:07:38 AM - System Checkpoint
RP218: 4/28/2009 3:24:38 PM - Software Distribution Service 3.0
RP219: 4/29/2009 9:48:57 PM - System Checkpoint
RP220: 5/1/2009 5:18:05 AM - System Checkpoint
RP221: 5/2/2009 1:54:01 PM - Installed Windows XP WgaNotify.
RP222: 5/3/2009 6:06:48 PM - System Checkpoint
RP223: 5/5/2009 4:13:21 AM - System Checkpoint
RP224: 5/6/2009 5:09:54 AM - System Checkpoint
RP225: 5/7/2009 5:56:48 AM - System Checkpoint
RP226: 5/8/2009 7:32:36 AM - System Checkpoint
RP227: 5/9/2009 7:56:47 AM - System Checkpoint
RP228: 5/10/2009 11:16:36 AM - System Checkpoint
RP229: 5/11/2009 11:56:46 AM - System Checkpoint
RP230: 5/12/2009 11:57:53 AM - System Checkpoint
RP231: 5/13/2009 3:00:14 AM - Software Distribution Service 3.0
RP232: 5/14/2009 6:48:51 AM - System Checkpoint
RP233: 5/15/2009 7:07:12 AM - System Checkpoint
RP234: 5/16/2009 7:57:52 AM - System Checkpoint
RP235: 5/18/2009 4:09:12 AM - System Checkpoint
RP236: 5/19/2009 9:34:05 AM - System Checkpoint
RP237: 5/20/2009 10:50:43 AM - System Checkpoint
RP238: 5/21/2009 10:56:51 AM - System Checkpoint
RP239: 5/22/2009 11:36:36 AM - System Checkpoint
RP240: 5/23/2009 12:23:38 PM - System Checkpoint
RP241: 5/24/2009 1:24:43 PM - System Checkpoint
RP242: 5/25/2009 2:00:46 PM - System Checkpoint
RP243: 5/26/2009 3:03:24 PM - System Checkpoint
RP244: 5/27/2009 3:36:45 PM - System Checkpoint
RP245: 5/27/2009 10:24:14 PM - Software Distribution Service 3.0
RP246: 5/29/2009 5:16:31 AM - System Checkpoint
==== Installed Programs ======================
µTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.1
Adobe Shockwave Player 11
AI Direct Link
AI Suite
AIM 6
ASUSUpdate
Atheros Communications Inc.(R) AR8121/AR8113 Gigabit/Fast Ethernet Driver
ATI Display Driver
Audacity 1.2.6
Battlefield 2142
BootSkin
CDDRV_Installer
Counter-Strike
Counter-Strike: Source
Creative Audio Control Panel
Diablo II
EPU-6 Engine
ERUNT 1.1j
Fraps (remove only)
Frontier Browser Assistant
Frontier Search Helper
Futuremark SystemInfo
getPlus(R) for Adobe
Google Chrome
Google Earth
Google Update Helper
Google Updater
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 13
KhalInstallWrapper
Left 4 Dead
Left 4 Dead Demo
Logitech SetPoint
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Speech SDK 5.1
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSN
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
OpenAL
OpenOffice.org Installer 1.0
Portal
Security Task Manager 1.7h
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Spybot - Search & Destroy
SpywareBlaster 4.1
Starcraft
Steam
Team Fortress 2
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
Viewpoint Media Player
VLC media player 0.9.4
Volume Panel
WebEx
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinPatrol 2008
WinRAR archiver
World of Warcraft
==== Event Viewer Messages From Past Week ========
5/27/2009 10:34:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tcpip6
5/27/2009 10:34:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 10:34:39 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 10:34:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 10:34:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 10:34:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 10:33:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/27/2009 10:33:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/24/2009 2:53:41 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
5/24/2009 11:57:01 PM, error: Dhcp [1002] - The IP address lease 192.168.254.100 for the Network Card with network address 00221563C10F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
shelf life
2009-05-30, 05:12
hi,
well the good new is I dont recognize any malware in the log. You said malwarebytes and spybot are coming up clean after a scan? Perhaps you lost the passwords another way?
flamingsnoman
2009-05-30, 06:20
I think the most likely way the passwords were attained is through firefox, as some of my passwords were saved with it. I've since cleared all firefox info. what is the next step i should take? Reformatting has come to mind but only as a last resort.
shelf life
2009-05-31, 02:03
Hi,
Reformatting has come to mind
if you had all kinds of malware on your computer then maybe, but you dont. As far as i can tell and based on the scans you did that are clean you are malware free. We can get another look for any rootkits.
Please download: RootRepeal
http://rootrepeal.googlepages.com/RootRepeal.zip
Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
flamingsnoman
2009-05-31, 03:40
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/30 17:31
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8418000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60E000 Size: 8192 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4F0C000 Size: 45056 File Visible: No
Status: -
Hidden/Locked Files
-------------------
Path: C:\RECYCLER\S-1-5-21-448539723-854245398-839522115-1003\WINDOW~1.ISO
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Wilson\Local Settings\Temp\etilqs_7soLMiShi4hR6dIzq4oZ
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\75SWQJKD\1e-gqsb[1].htm
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\75SWQJKD\1e-gqsb[2].htm
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\DNE05OPV\16785-5[4].js
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\GLOU7488\size=120x90;noperf=1;alias=93245511;cfp=1;noaddonpl=y;kvmn=93245511;target=_blank;aduho=420;grp=730094656;misc=730094656[1].htm
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\P6TVMWDL\size=120x90;noperf=1;alias=93245511;cfp=1;noaddonpl=y;kvmn=93245511;target=_blank;aduho=420;grp=730094656;misc=730094656;adiframe=y[1]
Status: Visible to the Windows API, but not on disk.
shelf life
2009-05-31, 15:15
I dont see anything there to be worried about. You can, for another opinion do a online scan:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
flamingsnoman
2009-06-01, 05:12
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=4314310f7f3d7047a0aee2c17aee4c2b
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-01 02:00:43
# local_time=2009-05-31 07:00:43 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=116947
# found=1
# cleaned=1
# scan_time=2203
C:\Documents and Settings\Wilson\Desktop\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000
shelf life
2009-06-02, 00:46
hi,
As far as malware goes, it all looks good to me. No signs of anything on your machine like a trojan or something.
flamingsnoman
2009-06-02, 13:19
That seems to be good news, but would you still advise against typing any passwords or personal information on this computer? I have thusfar been using the Windows onscreen keyboard to click my way through login screens for fear of having more personal information stolen.
shelf life
2009-06-03, 03:40
hi,
ok lets get one more look for any malware present on the machine with combofix. There is a guide to read first. Read through the guide, download combofix, disable any AV etc as explained in the guide, double click the icon and follow the prompts. Post the combofix log in your reply. If it looks good then i would change all the online passwords you use on the machine.
the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
flamingsnoman
2009-06-03, 04:35
ComboFix 09-06-01.03 - Wilson 06/02/2009 18:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2800 [GMT -7:00]
Running from: c:\documents and settings\Wilson\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\autorun.inf
c:\windows\setup.exe
c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\mdm.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.
2009-06-01 01:21 . 2009-06-01 01:21 -------- d-----w- c:\program files\ESET
2009-06-01 01:20 . 2009-06-01 01:20 -------- d-sh--w- c:\documents and settings\Wilson\PrivacIE
2009-05-30 19:15 . 2009-05-30 19:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-29 01:49 . 2009-05-29 01:49 -------- d-----w- c:\documents and settings\Wilson\Local Settings\Application Data\Help
2009-05-28 05:33 . 2009-05-28 05:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-28 05:29 . 2009-05-28 05:29 -------- d-sh--w- c:\documents and settings\Wilson\IETldCache
2009-05-28 05:27 . 2009-05-28 05:27 -------- d-----w- c:\windows\ie8updates
2009-05-28 05:27 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-28 05:25 . 2009-05-28 05:26 -------- dc-h--w- c:\windows\ie8
2009-05-28 04:38 . 2009-05-28 04:38 -------- d-----w- c:\program files\ERUNT
2009-05-23 04:24 . 2004-08-04 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2009-05-22 01:32 . 2009-05-22 01:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-17 07:07 . 2009-05-17 07:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-17 07:06 . 2009-05-17 07:13 -------- d-----w- c:\documents and settings\Wilson\Local Settings\Application Data\Google
2009-05-17 07:06 . 2009-05-17 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-17 07:06 . 2009-05-17 07:07 -------- d-----w- c:\program files\Google
2009-05-14 23:56 . 2009-05-14 23:56 -------- d-----w- c:\documents and settings\Wilson\Local Settings\Application Data\Blizzard Entertainment
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 01:21 . 2008-10-07 09:40 -------- d-----w- c:\program files\Steam
2009-06-02 10:06 . 2008-11-03 20:57 -------- d-----w- c:\documents and settings\Wilson\Application Data\uTorrent
2009-05-29 23:56 . 2008-10-07 09:24 -------- d-----w- c:\program files\Starcraft
2009-05-29 04:22 . 2009-05-29 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-29 01:49 . 2009-05-29 01:41 -------- d-----w- c:\program files\Security Task Manager
2009-05-27 17:20 . 2008-10-07 08:15 26704 ----a-w- c:\documents and settings\Wilson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:40 . 2008-10-08 02:57 -------- d-----w- c:\program files\Winamp
2009-05-23 04:26 . 2008-10-07 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-21 06:18 . 2008-10-17 10:29 -------- d-----w- c:\program files\Diablo II
2009-05-20 00:53 . 2008-10-07 12:50 -------- d-----w- c:\program files\World of Warcraft
2009-05-18 09:07 . 2008-10-12 17:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 09:07 . 2008-10-12 17:32 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 22:32 . 2008-10-12 17:30 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-10-12 17:30 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-01 10:16 . 2009-04-01 10:16 152576 ----a-w- c:\documents and settings\Wilson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-24 12:15 . 2008-10-07 08:20 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-03-24 12:15 . 2008-10-07 08:20 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-03-23 06:00 . 2009-03-23 06:00 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-03-23 04:34 . 2009-03-23 04:34 62865 ----a-w- c:\windows\system32\drivers\odysseyIM3.sys
2009-03-09 12:19 . 2008-11-28 00:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 23:10 . 2009-03-06 23:10 503808 ----a-w- c:\documents and settings\Wilson\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-79353a6c-n\msvcp71.dll
2009-03-06 23:10 . 2009-03-06 23:10 499712 ----a-w- c:\documents and settings\Wilson\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-79353a6c-n\jmc.dll
2009-03-06 23:10 . 2009-03-06 23:10 348160 ----a-w- c:\documents and settings\Wilson\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-79353a6c-n\msvcr71.dll
2009-03-06 23:09 . 2009-03-06 23:09 152576 ----a-w- c:\documents and settings\Wilson\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w- c:\windows\system32\pdh.dll
2008-10-16 04:04 . 2008-10-16 15:13 1499136 ----a-w- c:\program files\CPU-Z.exe
2008-09-21 10:03 . 2008-10-12 13:38 410416 ----a-w- c:\program files\GPU-Z.0.2.7.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Steam"="c:\program files\steam\steam.exe" [2009-05-19 1217784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-17 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"Six Engine"="c:\program files\ASUS\EPU-6 Engine\SixEngine.exe" [2008-06-03 5964800]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-21 1423360]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"Launch Direct Link"="c:\program files\ASUS\AI Direct Link\AsShare.exe" [2007-11-16 1209856]
"Launch As Cmd Runner"="c:\program files\ASUS\AI Direct Link\AsCmd.exe" [2007-04-12 376832]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]
c:\documents and settings\Wilson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-10-7 575488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-7 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Steam\\steamapps\\flamingsnoman\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\steamapps\\flamingsnoman\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\flamingsnoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/7/2008 2:09 AM 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 84992]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [10/7/2008 1:16 AM 36864]
S2 gupdate1c9d6be10aa11e2;Google Update Service (gupdate1c9d6be10aa11e2);c:\program files\Google\Update\GoogleUpdate.exe [5/17/2009 12:06 AM 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [10/7/2008 1:20 AM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/12/2008 10:30 AM 38496]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-17 07:06]
2009-06-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-17 07:06]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Wilson\Application Data\Mozilla\Firefox\Profiles\nlxcxbij.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 18:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-448539723-854245398-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:33,92,36,09,5d,52,3e,7a,29,a6,f4,36,2f,41,8b,db,2c,17,87,cb,5c,
12,67,30,20,fa,c1,60,e3,4b,a8,ff,2f,3f,25,07,0e,9b,06,5c,7b,fd,72,5f,1b,b1,\
"rkeysecu"=hex:df,73,ed,54,4b,cd,48,44,b1,38,6d,e3,f2,65,59,04
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-06-03 18:33
ComboFix-quarantined-files.txt 2009-06-03 01:32
Pre-Run: 432,812,212,224 bytes free
Post-Run: 433,595,133,952 bytes free
198 --- E O F --- 2009-05-13 10:01
shelf life
2009-06-04, 00:24
hi,
ok good. You can remove combofix like this;
start>run and type in combofix /u
click ok or enter
Note: a space after x and before the /
As far as i can tell you have no malware. I would change passwords you use.
You can make a new restore point. the why and how:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Some tips for reducing your risk;
10 Tips for Reducing Your Risk To Malware:
The Short Version:
1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*
8) Install and understand the limitations of a software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)
10)Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.