Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Online Account Funds Stolen, Please Check My Logs

  • This topic is locked This topic is locked
2 replies to this topic

#1 tmf0000


  • Members
  • 2 posts
  • Local time:02:10 AM

Posted 07 September 2009 - 11:41 AM

I suspect that someone has hacked into my system and used my password to log onto my online poker account and steal my money. I've scanned my system with Kaspersky antivirus and found no threats. Please let me know if there is anything unusual in these logs. The poker site is currently investigating the matter so I don't have all the details on how the hacker got into my account, however, I want to be sure that my computer is secure. Thanks

DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Tom at 12:18:19.50 on Mon 09/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2150 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesToshibaToshiba Appletthotkey.exe
C:Program FilesTOSHIBATOSHIBA ControlsTFncKy.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesIntelWirelessbinZCfgSvc.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesIntelWirelessBinDot1XCfg.exe
C:Program FilesPokerTracker 3PokerTracker.exe
C:Program FilesPokerTracker 3PokerTracker.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 2010klwtblfs.exe
C:Documents and SettingsTomDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:program fileskaspersky labkaspersky anti-virus 2010ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_03binssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [THotkey] c:program filestoshibatoshiba appletthotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [IAAnotif] "c:program filesintelintel matrix storage managerIaanotif.exe"
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [IntelZeroConfig] "c:program filesintelwirelessbinZCfgSvc.exe"
mRun: [IntelWireless] "c:program filesintelwirelessbinifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TPSMain] TPSMain.exe
mRun: [COMODO Firewall Pro] "c:program filescomodofirewallcfp.exe" -h
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_03binssv.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: turbotax.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228878961968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:windowssystem32klogon.dll
AppInit_DLLs: ,c:progra~1kasper~1kasper~1mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1tomapplic~1mozillafirefoxprofilesqo270qhw.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:program filesmozilla firefoxextensionslinkfilter@kaspersky.rucomponentsKavLinkFilter.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:windowssystem32driverskl1.sys [2009-6-15 128016]
R1 KLIF;Kaspersky Lab Driver;c:windowssystem32driversklif.sys [2009-9-7 296976]
R2 IntuitUpdateService;Intuit Update Service;c:program filescommon filesintuitupdate serviceIntuitUpdateService.exe [2008-10-10 13088]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:program filesmicrosoft sql server100dtsbinnMsDtsSrvr.exe [2008-7-10 218136]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:program filespostgresql8.3binpg_ctl.exe [2008-2-1 65536]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:program filesmicrosoft sql servermsrs10.mssqlserverreporting servicesreportserverbinReportingServicesService.exe [2008-7-10 1106968]
R3 FwLnk;FwLnk Driver;c:windowssystem32driversFwLnk.sys [2008-3-6 5888]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [2009-5-13 31760]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [2008-12-15 33808]
S3 AVP;Kaspersky Anti-Virus;c:program fileskaspersky labkaspersky anti-virus 2010avp.exe [2009-7-3 303376]
S3 IO_Memory;IO_Memory;??c:sysprepdriversioport.sys --> c:sysprepdriversioport.sys [?]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [2009-5-16 19472]
S3 SVRPEDRV;SVRPEDRV;??c:sysprepup_datepedrv.sys --> c:sysprepup_datePEDrv.sys [?]
S4 fbdpinger;fbdpinger;c:windowsfdbpinger.exe [2008-3-14 157040]
S4 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:program filesmicrosoft sql servermssql10.mssqlservermssqlbinnfdlauncher.exe [2008-7-10 31256]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:windowssystem32driversRsFx0102.sys [2008-7-10 242712]

=============== Created Last 30 ================

2009-09-07 11:40 <DIR> --d----- c:program filesTrend Micro
2009-09-07 01:13 604,140 a--sh--- c:windowssystem32driversISwift3.dat
2009-09-07 01:11 105,395 a------- c:windowssystem32driversklin.dat
2009-09-07 01:11 94,643 a------- c:windowssystem32driversklick.dat
2009-09-07 01:11 <DIR> --d----- c:program filesKaspersky Lab
2009-09-07 01:11 <DIR> --d----- c:docume~1alluse~1applic~1Kaspersky Lab
2009-09-07 00:51 64,737 a------- c:windowssystem32driverssfi.dat
2009-09-07 00:49 <DIR> --d----- c:program filesCOMODO
2009-09-07 00:09 <DIR> --d----- c:docume~1alluse~1applic~1Kaspersky Lab Setup Files
2009-08-21 18:28 <DIR> --d----- c:docume~1alluse~1applic~1Blizzard Entertainment
2009-08-18 20:02 <DIR> --d----- c:program filesGIF Colour Mapper
2009-08-08 23:47 21,504 ac------ c:windowssystem32dllcachehidserv.dll
2009-08-08 23:47 21,504 a------- c:windowssystem32hidserv.dll
2009-08-08 23:47 12,160 ac------ c:windowssystem32dllcachemouhid.sys
2009-08-08 23:47 12,160 a------- c:windowssystem32driversmouhid.sys
2009-08-08 23:47 10,368 ac------ c:windowssystem32dllcachehidusb.sys
2009-08-08 23:47 10,368 a------- c:windowssystem32drivershidusb.sys

==================== Find3M ====================

2009-07-03 15:48 219,664 a------- c:windowssystem32klogon.dll
2009-06-29 09:12 827,392 a------- c:windowssystem32wininet.dll
2009-06-29 09:12 78,336 a------- c:windowssystem32ieencode.dll
2009-06-29 09:12 17,408 a------- c:windowssystem32corpol.dll
2009-06-16 07:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 07:36 81,920 a------- c:windowssystem32fontsub.dll
2008-03-06 20:25 32,768 a--sh--- c:windowssystem32configsystemprofilelocal settingsapplication datamicrosoftfeeds cacheindex.dat
2008-09-15 13:26 32,768 a--sh--- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008091520080916index.dat
2008-09-15 10:26 13 ---shr-- c:windowssystem32driversfbd.sys
2008-09-15 10:26 4 ---shr-- c:windowssystem32driverstaishop.sys
2008-09-15 10:25 16,384 a--sh--- c:windowstempcookiesindex.dat
2008-09-15 10:25 16,384 a--sh--- c:windowstemphistoryhistory.ie5index.dat
2008-09-15 10:25 16,384 a--sh--- c:windowstemptemporary internet filescontent.ie5index.dat

============= FINISH: 12:18:56.29 ===============

I know I'm not supposed to bump my log, but it's been several days with no reply, and I was wondering if it's being ignored due to not being the right format or something.


Hello tmf0000,

Your post is fine, :( but we ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post and merged it with your 1st post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.


The weatherman

Attached Files

Edited by The weatherman, 11 September 2009 - 06:24 PM.

BC AdBot (Login to Remove)


#2 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:03:10 AM

Posted 22 September 2009 - 05:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 AM

Posted 28 September 2009 - 01:44 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users