Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My email account has been hacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 beesan

beesan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 15 January 2009 - 10:13 PM

I just found out that someone was able to hack into my email account. The hacked email account is a pop3 email account using a personal domain name at a web host.

According to my web host, it appears the hack started more than a month ago.

I don't know how the hacker was able to get my username and password for my email account. I am concerned that my PC may have an unknown trojan or keyboard logger that my antivirus and antispyware scans may be missing.

I hope someone can help identify whether or not I have any malware infections on my system that could have led to the hacking of my email account.

I ran the DDS.scr per forum instructions. DDS log file is below this message. I have also attached the attach.txt to this post.


DDS (Ver_09-01-07.01) - FAT32x86
Run by Rick at 19:15:20.78 on Thu 01/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.249 [GMT -6:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Outpost Firewall Pro *disabled*
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -s
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\$MCREB~1.LNK -
IE: &Search -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {8ABEC182-FED6-47FC-AFE1-00C7A773A00C} - c:\program files\movies extractor scout\flashextract.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\dcsws2.dll
Trusted Zone: bankofamerica.com\sitekey
Trusted Zone: bankofamerica.com\www
Trusted Zone: bcentral.com\www
Trusted Zone: billpaysite.com\www
Trusted Zone: com.hk\www.citibank
Trusted Zone: f-secure.com\support
Trusted Zone: go.com\www.espn
Trusted Zone: hitslink.com
Trusted Zone: insureme.com\affiliate
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: msn.com\video
Trusted Zone: myprepaidrefill.com\www
Trusted Zone: pandasoftware.com\www
Trusted Zone: paypal.com\www
Trusted Zone: rewards-catalog.com\www
Trusted Zone: sightspeed.com\people
Trusted Zone: sightspeed.com\secure
Trusted Zone: sightspeed.com\www
Trusted Zone: testmyvoip.com\www
Trusted Zone: testyourvoip.com\www
Trusted Zone: voipreview.org\www
Trusted Zone: voxilla.com
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\68pfuwrv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gnpcb.org/esv/devotions/one.year.bible/?date=2007-03-01

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-9-9 28544]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-5 3968]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2007-11-23 79096]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2007-11-23 23672]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-5-26 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [2005-8-3 346752]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;c:\windows\system32\drivers\EL556ND5.sys [2005-8-2 58951]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\system32\drivers\es198xdl.sys [2005-8-3 414400]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2005-8-2 706192]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R4 cmdAgent;COMODO Firewall Pro Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2007-11-23 544512]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]
R4 PAR1284;PAR1284;c:\windows\system32\drivers\par1284.sys [2004-8-14 54792]
R4 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [2004-8-14 13824]
R4 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2005-12-9 24911]
R4 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2005-8-2 281600]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2005-8-2 58951]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-8-15 9312]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-9-8 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-9-8 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-9-8 81288]
S3 PRISM;Instant Wireless - Network PC CARD Driver;c:\windows\system32\drivers\PRISMNDS.sys [2001-11-26 52736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-9-8 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-9-8 1079176]
S3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2006-1-15 17857]
S4 0316081232008412mcinstcleanup;McAfee Application Installer Cleanup (0316081232008412);c:\docume~1\rick\locals~1\temp\031608~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\rick\locals~1\temp\031608~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 CA Personal Firewall ASEM;CA Personal Firewall ASEM;e:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe --> e:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe [?]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-01-15 02:08 <DIR> --d----- c:\docume~1\rick\applic~1\Malwarebytes
2009-01-15 02:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 02:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-15 02:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 17:20 <DIR> --d----- c:\docume~1\rick\applic~1\wsInspector
2009-01-11 17:17 <DIR> --d----- c:\program files\Startup Inspector for Windows
2009-01-10 16:13 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-10 16:10 <DIR> --d----- c:\windows\ERUNT
2009-01-10 15:49 <DIR> --d----- C:\SDFix
2009-01-08 13:18 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-29 10:35 <DIR> --d----- c:\program files\common files\McAfee
2008-12-29 10:34 <DIR> --d----- c:\program files\McAfee

==================== Find3M ====================

2009-01-09 15:46 75,328 a------- c:\docume~1\rick\applic~1\GDIPFONTCACHEV1.DAT
2009-01-08 16:55 4,793 a------- c:\windows\mozver.dat
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-03-26 09:54 722,176 a------- c:\documents and settings\rick\gotomypc_428.exe
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2001-11-26 13:52 48,640 -------- c:\windows\inf\PRISMUSB.sys
2001-11-26 13:51 52,736 -------- c:\windows\inf\PRISMNDS.sys
2005-10-06 04:56 11,270 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-07-13 22:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat
2008-10-09 23:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 19:16:29.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 29 January 2009 - 11:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.
Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scans:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



* Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif

* Double click on the DDS icon, allow it to run.
* A small box will open, with an explaination about the tool. No input is needed, the scan is running.
* Notepad will open with the results, click no to the Optional_Scan
* Follow the instructions that pop up for posting the results.
* Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 29 January 2009 - 04:05 PM

Thank you for your reply to my post.

Since my initial discovery the hack of my email account, I have run several scans, including 2 Malwarebytes scans. Two traces of MyWebSearch were discovered and removed.

I also did some Spybot S&D scans. From what I remember, nothing significant was discovered with those scans.

I also updated Java and Flash per secunia.com scan results, and uninstalled Yahoo Messenger and some other non essential programs.

Log files from a Kaspersky online scan and Panda Active Scan I did several days are attached to this post.

On January 9th, before becoming aware of this issue, I ran an SDfix to make sure my system was clean. The results are also attached to this post.

During the past several months, I have run Hijackthis and uploaded the log file to hijackthis.de. Several items were identified and I removed them. I have taken a screenshot of the backup log within Hijackthis and attached it to this post. Please note the strange entry from Sept 9 2008 beginning with 017-HKLM.

As per instructions in your post, I ran Malwarebytes scan again and its results are below. I also ran DDS scan again and its log file is included. I have also attached the attach.txt from the scan to this post.

Malwarebytes' Anti-Malware 1.33
Database version: 1705
Windows 5.1.2600 Service Pack 3

1/29/2009 12:25:01 PM
mbam-log-2009-01-29 (12-25-01).txt

Scan type: Quick Scan
Objects scanned: 53325
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_09-01-19.01) - FAT32x86
Run by Rick at 13:16:54.11 on Thu 01/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.270 [GMT -6:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: Outpost Firewall Pro *disabled*
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Documents and Settings\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -s
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: &Search -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {8ABEC182-FED6-47FC-AFE1-00C7A773A00C} - c:\program files\movies extractor scout\flashextract.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\dcsws2.dll
Trusted Zone: bankofamerica.com\sitekey
Trusted Zone: bankofamerica.com\www
Trusted Zone: bcentral.com\www
Trusted Zone: billpaysite.com\www
Trusted Zone: com.hk\www.citibank
Trusted Zone: f-secure.com\support
Trusted Zone: go.com\www.espn
Trusted Zone: hitslink.com
Trusted Zone: insureme.com\affiliate
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: msn.com\video
Trusted Zone: myprepaidrefill.com\www
Trusted Zone: pandasoftware.com\www
Trusted Zone: paypal.com\www
Trusted Zone: rewards-catalog.com\www
Trusted Zone: sightspeed.com\people
Trusted Zone: sightspeed.com\secure
Trusted Zone: sightspeed.com\www
Trusted Zone: testmyvoip.com\www
Trusted Zone: testyourvoip.com\www
Trusted Zone: voipreview.org\www
Trusted Zone: voxilla.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} - hxxp://dev.imagingworld.co.kr/printerhelp/introduction/DrPrinter.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.pestpatrol.com/pestscan/pestscan.cab
DPF: {57B2CA01-6C40-44BB-9FCC-BFA7FADAA6E3} - hxxp://images.sightspeed.com/files/sightspeed_web_install.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231642163064
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231642115495
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} - hxxp://www.nanoscan.com/cabs/nanoinst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\68pfuwrv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.3.1334.1308\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsabffx.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-17 28544]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-5 3968]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2007-11-23 79096]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2007-11-23 23672]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2008-5-26 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [2005-8-3 346752]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS 5.0 Driver;c:\windows\system32\drivers\EL556ND5.sys [2005-8-2 58951]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\system32\drivers\es198xdl.sys [2005-8-3 414400]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2005-8-2 706192]
R4 AnonMgmtSvc;Anonymizer Management Service;c:\program files\anonymizer\anonymizer software\common\AnonMgmtSvc.exe [2008-11-17 37560]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R4 cmdAgent;COMODO Firewall Pro Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2007-11-23 544512]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]
R4 PAR1284;PAR1284;c:\windows\system32\drivers\par1284.sys [2004-8-14 54792]
R4 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [2004-8-14 13824]
R4 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2005-12-9 24911]
R4 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2005-8-2 281600]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2005-8-2 58951]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-8-15 9312]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-9-8 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-9-8 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-9-8 81288]
S3 PRISM;Instant Wireless - Network PC CARD Driver;c:\windows\system32\drivers\PRISMNDS.sys [2001-11-26 52736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SGUARD;SGUARD;c:\windows\system32\drivers\SGuard.sys [2006-1-15 17857]
S4 CA Personal Firewall ASEM;CA Personal Firewall ASEM;e:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe --> e:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe [?]

=============== Created Last 30 ================

2009-01-26 10:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Anonymizer
2009-01-26 09:58 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}
2009-01-23 15:18 2,560 a------- c:\windows\system32\drivers\mchInjDrv.sys
2009-01-19 12:02 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-17 16:15 399,360 a------- c:\windows\system32\dllcache\rpcss.dll
2009-01-17 16:12 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-15 02:08 <DIR> --d----- c:\docume~1\rick\applic~1\Malwarebytes
2009-01-15 02:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 02:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-15 02:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 17:20 <DIR> --d----- c:\docume~1\rick\applic~1\wsInspector
2009-01-11 17:17 <DIR> --d----- c:\program files\Startup Inspector for Windows
2009-01-10 16:13 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-10 16:10 <DIR> --d----- c:\windows\ERUNT
2009-01-10 15:49 <DIR> --d----- C:\SDFix
2009-01-08 13:18 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-08 13:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

==================== Find3M ====================

2009-01-19 12:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 15:46 75,328 a------- c:\docume~1\rick\applic~1\GDIPFONTCACHEV1.DAT
2009-01-08 16:55 4,793 a------- c:\windows\mozver.dat
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-03-26 09:54 722,176 a------- c:\documents and settings\rick\gotomypc_428.exe
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2001-11-26 13:52 48,640 -------- c:\windows\inf\PRISMUSB.sys
2001-11-26 13:51 52,736 -------- c:\windows\inf\PRISMNDS.sys
2005-10-06 04:56 11,270 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-07-13 22:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat
2008-10-09 23:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 13:18:08.66 ===============

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 29 January 2009 - 05:10 PM

edit : wrong post.

Edited by Thunder, 29 January 2009 - 05:11 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 30 January 2009 - 05:48 PM

I have a question and a concern, First the question. What kind of password did you have on your account? Was it a dictionary password, or something that someone who knew you would be able to easily guess? Did you have it written down somewhere, or entered into an automatic login or a form entry program?

Second, you are using both a VNC program and a p2p program. Do you have both of them restricted to a small area, just what they need? Or did you not install one or the other of these programs?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 30 January 2009 - 08:04 PM

Thanks for looking at my logs.

Regarding my email password, it was a non dictionary word combined with random numbers. I did have it written down, but only my wife and myself had access. I never allowed it to be saved within an automatic login or form entry program.

I did install the VNC program to allow computer control within my home network, however, I have not used it for well over a year.

To my knowledge, I do not have a p2p program installed on this PC. What program are you referring to?

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 30 January 2009 - 08:31 PM

If you are not using your VNC client I suggest that you uninstall it. ZoneAlarm as a default allows VPN protocols, so if VNC has permission, then you have an open remote control. Also if you are no longer using it, I would uninstall STunnel as well. As for the P2P, SDFix see that BitComet.exe is installed.

With the problem you are suspecting, you might want to go to the add / remove control panel and uninstall any software that you are not using anymore.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 30 January 2009 - 10:16 PM

I tried out Bitcomet a couple of years ago and uninstalled it via Control Panel Add Remove Programs. There is still a Bitcomet folder in my Program Folder with some files, but BitComet.exe is not there anymore. I will go ahead and delete the folder.

I also uninstalled STunnel a long time ago. I searched my PC and can't find no file named STunnel.exe .

I noticed a couple of other programs listed in the SDfix log that I had already uninstalled. I guess the uninstallers for some programs don't remove everything.

I will take your advice and get rid of VNC. I use Comodo Firewall.

Do you think my system has a keylogger on it?

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 30 January 2009 - 11:27 PM

Did you try the Zonealarm firewall in the past?
C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
If you have uninstalled it, then that definitely needs to be cleaned up. I can get you the instructions for removing all the remnants of it.

As for the keylogger, I don't see evidence of one, but with your concerns we can run a few more scans just to make sure. One thing to also do is to look over the back of your computer and make sure that a dongle was put in between any device and the computer. Some may be needed to convert one plug type to another. But if there is something that looks like it is only an extension, then take it out. Also look at where your computer sits. Can anyone watch you type on your keyboard from through a window? I am not trying to make you paranoid, just trying to think of other ways someone could get the password.

Also I just thought, if your webhost can tell when a hack was done, does he have an IP address from where the hack was done? is there, or can you keep a log of the access to your account? If you are using webmail, can you turn off the non secured login, and only allow your e-mail to be checked via https? Also how long a password can you have? One way to block him is to use a much longer password. I use Keepass to keep track of my passwords. I make them as long as possible. I keep my password file stored on a SD card and it requires a 20 character password that is written down nowhere (it's the one password I have to remember) and a key file stored somewhere else. Without both, I can't get my passwords, and they are all random generated with additional entropy (so that its not using the random generator built into my system).

About cleaning up the bits and pieces left behind when you uninstalled programs, something I have been using for a long time is Easy Cleaner. Just make sure you use the URL in that link and not the obvious <http://www.toniarts.com/> It's a nice little program light weight, that does searches, but lets you choose what to get rid of.


Anyway, on to checking into your system some more, lets check for a rootkit.

let's clean up some unnecessary disk clutter:

Please download ATF Cleaner by Atribune.

This program is for Vista, XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt, and uncheck cookies if you would like to retain them.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt, and uncheck cookies if you want to retain them.
    Click Exit on the Main menu to close the program.

Reboot


Please download Gmer:

http://www.gmer.net/gmer.zip

Now let's perform a Gmer rootkit scan:
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the >>> Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the Gmer driver:
    • net stop gmer
  • Hit Enter
  • Exit the command prompt.
Also I noticed that you did a quick scan with Malwarebytes' Anti-Malware what you should do is update it and then do a full scan (not a quick scan) with it. It will take several hours.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 31 January 2009 - 12:52 PM

I did use ZoneAlarm in the past. I'd appreciate instructions on removing left over remnants.

There are no unnecessary extensions attached to the back of my PC and no opportunities to view my keyboard from an open window.

What the hacker did was set up a forwarding email rule. Basically, he was recieving a copy of all messages sent to me. He also set up a domain alias. From my understanding, this also allowed him to recieve copies of all email sent to me.

I have been in contact with my web host. It is apparent that the hacker gained access to my web hosting control panel. That is how he set up the domain alias. From the web host control panel, the hacker could have also set up the forward and also accessed my email account via a web mail interface that can be launched from the web site control panel.

I asked my web host for the IP addresses that logged into my web site control panel but they could not or would not give me this information. I pressed them on this, but no success so far. My web host did say my IP address is the only IP address that has accessed my email account. Since they have not provided me a log file, I am not sure I believe them on this.

If there is no key logger installed on my PC, then I believe the hacker was able to gain login credentials for my web host via a social engineering attack.

I have now changed web hosting companies, but I am not really confident that my current web host could resist a similar social engineering attack. I am researching this, but any advice as to how I can find a web host, or enable my current web host to resist future social engineering attacks would be appreciated.

Thank you for recommending keepass. Does an SD card have an advantage over a USB thumb drive? Can you recommend any links to reading material that would allow me to implement a password system like yours?

I also downloaded EasyCleaner and will start using it regularly.

I have attached my gmer log to this post.

Attached Files



#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 31 January 2009 - 01:19 PM

* Next go to Start > Search > Files and Folders. Make sure the location box is set to search your Local Hard Drive (usually C:\ ) or All Local Drives. Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:Search System folders
Search Hidden Files and folders
Search SubFolders
Now copy the entire line below, paste it into the search box and click Search Now.

Zonelabs; "zone labs"; "Internet logs"; vsconfig.xml; vsdata.dll; vsdata95.vxd; vsdatant.sys; vsmon.*; vsmonapi.dll; vsnetutils.dll;vspubapi.dll; zaplus.*; zapro.*; zllictbl.dat; zlparser.dll; zonealarm.exe; zoneband.dll; vsutil.dll; zlclient.*


A list of files and folders belonging to ZoneAlarm will appear in the Search Results pane.
Note: if you’re using McAfee software be sure to check the vsutil.dll if found: right click the file and choose Properties. Verify it belongs to ZoneLabs.
If it does not do not remove it. Now proceed by deleting all ZoneLabs files and folders that were found.

* Empty the Recycle Bin.

* Now remove all ZoneLabs keys that may be left in the Windows registry. To do this copy the lines below and paste them into Notepad.
Save the file as zabegone.reg, double click it and allow for the registry changes to be made.

REGEDIT4
[-HKEY_CLASSES_ROOT\ZAMailSafe]
[-HKEY_CURRENT_USER\Software\Zone Labs]
[-HKEY_LOCAL_MACHINE\Software\Zone Labs]
[-HKEY_USERS\.DEFAULT\Software\Zone Labs]



* REBOOT
ZoneAlarm will now be completely removed from your computer. If you wish to install a new copy of ZA, be sure to do so under an administrator account
with full rights and permissions.


It sounds as if you have dealt with the hosting company the best way possible, by leaving. If you have been harmed in any way, you may be able to get your local or state police to investigate. They would be able to pry the IP address from the hosting company. If you were not harmed in a legal way, then you are probably already following the best course of action. Check around on the net about your current hosting company and see what there reputation is. Also make sure they apply security updates in a timely manner to their software.

About the password setup, yes a thumbdrive can be used. I started out with one, and it worked well. My SD card I can hide in my wallet. That is why I switched. About find out how to do it, the Keepass link site has loads of information how to do it. Everything I know about it is on that site.

I am going thru the log now, but at first blush I would say you are clean. Give me a bit to go thru it though.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 03 February 2009 - 09:20 PM

I followed your instructions in regards to searching for ZoneAlarm files.

The only thing found was "Internet logs" folder. I deleted it.

I also allowed the registry changes to be made.

I need to do some reading on Keepass.

Any further insights regarding the gmer logs?

Also, in post #3 of this thread, there is a screen shot from HiJackThis removed entries.

I am concerned about the following entry that I removed:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D176FE03-8A76-479B-93CA-6FA42CC288AC}: NameServer = 74.134.1.164,74.134.1.166

I deleted this entry based on the advice of the automatic log analyser from HiJackThis.de.

Do you have any comments on how such an entry could have gotten onto my system?

Edited by beesan, 03 February 2009 - 09:27 PM.


#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 03 February 2009 - 09:57 PM

No problems that I can see. The big thing it shows is you have and are using a firewall. Sorry, I thought I told you.

Any more questions, comments, concerns? If not then there are a few more cleanup kinds of things we need to do.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 beesan

beesan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 09 February 2009 - 10:34 PM

Sorry for the delay in replying.

I am happy to hear that no malware was found.

Any other suggestions for PC cleanup would be appreciated.

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:08:28 PM

Posted 09 February 2009 - 10:46 PM

just the normal kind of things that I usually tell people when we get done,

Now there are something's you need to do to fully clean your system and keep it secure.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.

Here are some good tutorials for that.
Windows Vista Restore Guide
or
Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above

Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall).

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Also see the following: Securing Your Web Browser
Working with Internet Explorer 6 Security

Use a different browser other than IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.


Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may Ave you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware


Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.

Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose.


Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List and Rogue Applications List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users