Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected trojan or keylogger


  • This topic is locked This topic is locked
2 replies to this topic

#1 forzeti

forzeti

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 June 2009 - 07:16 AM

I have recently had my Amazon.com account stolen and someone had made several digital purchases of Xbox 360 game cards. How they got my account is unknown. I am suspecting it was a keylogger. Below is my dds log file.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Anon at 4:58:18.59 on Wed 06/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1219 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
svchost.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\System\aa.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\bugoilen\bungo659.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\TEMP\pn.exe
C:\WINDOWS\Cursors\supdate.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
mWinlogon: Shell=Explorer.exe c:\windows\cursors\lsass.exe
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [AdobeBridge]
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [WinUpd32] c:\windows\system32\WinUpd32.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRun: [WinUpd32] c:\windows\system32\WinUpd32.exe
StartupFolder: c:\docume~1\anon\startm~1\programs\startup\needfo~1.lnk - c:\program files\ea games\need for speed undercover\support\EAregister.exe
IE: Crawler Search - tbr:iemenu
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anon\applic~1\mozilla\firefox\profiles\9m3chfrb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\npsoestb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-5-19 141312]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 Services;Services;c:\program files\common files\system\aa.exe [2009-6-8 55296]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-10 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-4-10 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-4-10 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-10 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-13 24652]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-4-10 335376]
S2 xxm56yt7ut;ut785478iy;c:\program files\common files\bugoilen\bungo659.exe [2009-6-6 215066]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-06-10 04:45 <DIR> --d----- C:\Autoruns
2009-06-09 15:57 267,264 a------- c:\windows\system32\WinUpd32.exe
2009-06-09 15:55 159,232 a------- C:\softokn3.dll
2009-06-09 15:55 8,704 a------- C:\plc4.dll
2009-06-09 15:55 6,144 a------- C:\plds4.dll
2009-06-09 15:55 176,128 a------- C:\nss3.dll
2009-06-09 15:55 73,728 a------- C:\nspr4.dll
2009-06-09 05:56 447,752 a----r-- c:\windows\system32\vp6vfw.dll
2009-06-09 05:56 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-08 19:13 0 a------- c:\windows\udhcpa.cab
2009-06-08 05:10 334,792 a------- c:\windows\system32\_AxShlEx.dll
2009-06-08 05:09 <DIR> --d----- c:\program files\Alcohol Soft
2009-06-08 05:05 716,272 a------- c:\windows\system32\drivers\sptd.sys
2009-06-08 03:53 48,128 a------- c:\windows\system\WNASPI32.DLL
2009-06-08 03:52 <DIR> --d----- c:\docume~1\anon\applic~1\fltk.org
2009-06-08 03:43 55,808 a------- c:\windows\system\zlib1.dll
2009-06-08 03:38 <DIR> --d----- c:\program files\Delta
2009-06-08 03:27 <DIR> --d----- c:\program files\DOSBox-0.73
2009-06-08 03:11 <DIR> --d----- c:\program files\Hell Fighter 32
2009-06-07 22:46 <DIR> --d----- c:\program files\GamersFirst
2009-06-06 08:52 <DIR> --d----- c:\program files\Rosetta Stone
2009-06-06 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-06-06 08:52 <DIR> --dshr-- c:\program files\common files\bugoilen
2009-06-05 06:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Marginal Team
2009-06-04 22:01 63,650 a------- c:\windows\War3Unin.dat
2009-06-04 22:01 139,264 a------- c:\windows\War3Unin.exe
2009-06-04 22:01 2,829 a------- c:\windows\War3Unin.pif
2009-06-03 04:24 <DIR> --d----- c:\program files\Sony Online Entertainment
2009-06-02 23:37 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-05-31 00:09 204,800 a------- c:\windows\system32\Ffpage.dll
2009-05-31 00:09 69,632 a------- c:\windows\system32\Ffdriver.dll
2009-05-31 00:09 <DIR> --d----- c:\program files\Game Elements PC Recoil Pad
2009-05-30 23:20 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-05-30 23:20 138,184 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-30 23:20 183,112 a------- c:\windows\system32\PnkBstrB.exe
2009-05-30 23:07 <DIR> --d----- c:\program files\EA Games
2009-05-30 13:54 <DIR> --d----- c:\windows\8AAB4176A747493AA42CB63CFADFD8E3.TMP
2009-05-30 13:54 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-05-30 13:54 115,432 a------- c:\windows\system32\OpenAL32.dll
2009-05-30 13:54 <DIR> --d----- c:\program files\OpenAL
2009-05-28 14:22 <DIR> --d-h--- c:\windows\PIF
2009-05-24 22:24 <DIR> --d----- c:\program files\TweetDeck
2009-05-23 17:02 69 a------- c:\windows\NeroDigital.ini
2009-05-23 16:54 <DIR> --d----- c:\program files\Avi2Dvd
2009-05-23 16:29 <DIR> --d----- c:\docume~1\anon\applic~1\NeroDigital™
2009-05-23 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-05-23 15:44 <DIR> --d----- c:\program files\Nero
2009-05-23 15:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-05-23 15:18 <DIR> --d----- C:\MAGICDVDCOPY_TEMP
2009-05-23 15:18 87,608 a------- c:\docume~1\anon\applic~1\inst.exe
2009-05-23 15:18 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-23 15:18 47,360 a------- c:\docume~1\anon\applic~1\pcouffin.sys
2009-05-19 22:36 <DIR> --d----- c:\program files\Curse
2009-05-19 22:11 <DIR> --d----- c:\program files\Crawler
2009-05-19 22:11 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-19 22:11 <DIR> --d----- c:\docume~1\anon\applic~1\Spyware Terminator
2009-05-19 22:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-05-19 22:11 <DIR> --d----- c:\program files\Spyware Terminator
2009-05-15 06:15 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{D0D0BE61-F9F3-4330-BF43-3FC63530C4E6}
2009-05-15 06:11 <DIR> --d----- c:\program files\WebEx
2009-05-15 06:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-15 06:07 14,048 -------- c:\windows\system32\spmsg2.dll
2009-05-15 06:06 23,984 a------- c:\windows\system32\drivers\pnarp.sys
2009-05-15 06:06 25,264 a------- c:\windows\system32\drivers\purendis.sys
2009-05-15 06:06 <DIR> --d----- c:\program files\common files\Pure Networks Shared
2009-05-15 06:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2009-05-15 06:05 939,368 a----r-- c:\windows\system32\myflash.ocx
2009-05-12 04:39 <DIR> --d----- c:\docume~1\anon\applic~1\GetRightToGo

==================== Find3M ====================

2009-06-09 16:54 267,264 a------- c:\windows\cursors\supdate.exe
2009-06-07 11:35 287,745 ---sh--- c:\windows\cursors\lsass.exe
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 06:04 14 a------- c:\program files\version.txt
2009-05-03 00:05 660 ---shr-- C:\io64.sys
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-04-13 19:36 8,284,672 a------- c:\windows\system32\logonuiX.exe
2009-04-10 16:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-10 16:24 2,678 a------- c:\windows\java\packages\data\8DRJLZRN.DAT
2009-04-10 16:24 2,678 a------- c:\windows\java\packages\data\4UMHZX3D.DAT
2009-04-10 16:24 2,678 a------- c:\windows\java\packages\data\YX3B93NV.DAT
2009-04-10 16:24 2,678 a------- c:\windows\java\packages\data\BL3ZNJPB.DAT
2009-04-10 16:24 2,678 a------- c:\windows\java\packages\data\00BD7ZH7.DAT
2009-04-10 15:05 15,600 a------- c:\windows\gdrv.sys
2009-04-10 15:03 315,392 a------- c:\windows\HideWin.exe
2009-04-10 14:47 558,142 a------- c:\windows\java\packages\RDJXZTZ5.ZIP
2009-04-10 14:47 155,995 a------- c:\windows\java\packages\Z57NPVLZ.ZIP
2009-04-10 14:44 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll

============= FINISH: 4:58:47.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 forzeti

forzeti
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 June 2009 - 11:57 AM

formatted / reinstalled windows to insure the keylogger is gone. Please close thread.

#3 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:13 PM

Posted 10 June 2009 - 03:15 PM

As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.

Thanks for asking in BleepingComputer.com

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users