Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylogger/trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Critch

Critch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 26 September 2008 - 06:41 AM

at around 4am Sunday morning my WoW account was hacked. I have it back and all items recovered but I am now paranoid.

I have never given or shared my password with anyone (not even my wife knows it). System and security wise I run XP Pro SP3 fully patched. Firefox 3 with NoScript addon. NOD32 AV, with Zone Alarm Pro. Hard wired Linksys router which is also firewalled. I have since upgraded NOD32 post-hack to Smart Security and done away with Zone Alarm Pro as I found it getting too buggy and bloated (more on this below). I also use SpyBot S&D, AdAware and CCleaner. With all those I still got hacked. While I know the very basics about computers I have know in-depth knowledge and need to know that my system is safe. When I got home on Monday evening and read the email from Blizzard about my account being compromised I did a full scan with NOD32, Spybot, and Adaware and few online scanners and my system came back clean, so I dont know how I got hacked and I am still not sure I am safe.

Coming back to Zone Alarm Pro - I was running this when I got hacked and for a couple of weeks before the hack on every boot-up svchost.exe was asking for internet rights on port 135. Even when I clicked deny and remember setting it would pop-up on boot-up. I searched the net but couldn't really find anything. In the end and thinking it was a core system process I allowed it. But even then after allowing it and setting it to remember the setting it would still ask for internet rights on every boot-up so I though it was just ZA being buggy. Then obviously I got hacked. I cannt say with any degree of confidence though that this was the vulnerability leading up to the hack. I would really like to know what svchost.exe on Port 135 is used for. The firewall built into Smart Security also describes this as EPMAP Port 135 and I dont have a clue what that means.

So I got hacked and I dont know how. My system is clean, or at least all the programs I use report it as clean. I would just like reassurance from the clever folk here that my system logs do not cause any concern.

Many thanks.

PS. Autohotkey I am aware of. I use it on one of my game characters to spam a key so I dont wear my keyboard out. Here are the logs;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:50, on 26/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\AI Booster\OverClk.exe
C:\Program Files\ASUS\AI Gear\GearHelp.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steganos Password Manager 2006\SPM2006.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Steganos Password Manager 2006\PasswordManagerIEAutoFill.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.war-europe.com/#/news/?lang=en&id_news=en106
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe"
O4 - HKLM\..\Run: [Ai Gear Help] "C:\Program Files\ASUS\AI Gear\GearHelp.exe"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [SPM2006] "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [SPM2006] "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SPM2006] "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SPM2006] "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SPM2006] "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -firstboot (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15105/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA48D46D-EBCC-419E-BB1E-C7A113B4D01E}: NameServer = 212.69.36.3,212.69.40.3
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10000 bytes


StartupList report, 26/09/2008, 12:00:54
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\AI Booster\OverClk.exe
C:\Program Files\ASUS\AI Gear\GearHelp.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steganos Password Manager 2006\SPM2006.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Steganos Password Manager 2006\PasswordManagerIEAutoFill.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Carl\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GammaTray.lnk = ?
NCProTray.lnk = ?
SetPointII.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AsusStartupHelp = C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
Launch Ai Booster = "C:\Program Files\ASUS\AI Booster\OverClk.exe"
Ai Gear Help = "C:\Program Files\ASUS\AI Gear\GearHelp.exe"
AudioDrvEmulator = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
amd_dc_opt = C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
dlcxmon.exe = "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
CTHelper = CTHELPER.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
CTxfiHlp = CTXFIHLP.EXE
VolPanel = "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
DLCXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
egui = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
NVIDIA nTune = "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
SPM2006 = "C:\Program Files\Steganos Password Manager 2006\SPM2006.exe" -boot

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://download.microsoft.com/download/e/7.../OGAControl.cab

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://www.creative.com/su/ocx/15031/CTSUEng.cab

[OnlineScanner Control]
InProcServer32 = C:\WINDOWS\system32\ONLINE~1.OCX
CODEBASE = http://www.eset.eu/buxus/docs/OnlineScanner.cab

[{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}]
CODEBASE = http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
OSD = C:\WINDOWS\Downloaded Program Files\SysReqLab2.osd

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEngn.ocx
CODEBASE = http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\PROGRA~1\Creative\SHARED~1\SOFTWA~1\CTPID.ocx
CODEBASE = http://www.creative.com/softwareupdate/su/...15105/CTPID.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,007 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:45 AM

Posted 05 October 2008 - 01:27 PM

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, please post a new HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:45 AM

Posted 15 October 2008 - 06:33 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users