Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Keylogger, Virus, Trojan...


  • This topic is locked This topic is locked
5 replies to this topic

#1 ChaiVat

ChaiVat

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 May 2010 - 10:55 AM

First, HELLO. I am new to "BleepingComputers". thumbup.gif

About a week ago, I discovered that the game I have been playing for many yrs., was hacked. "Keyloggers" seem to be the culprits when it comes to getting hacked with "online MMORPG's".
NCSoft is the maker of this game and their support has been really great. They recovered my account and even returned some items that were stolen. A couple of days later, it happened again. Hacked...I couldn't log into my account, etc.
I am at the point that I don't even care, but Iam concerned about "keyloggers", that might also record my keystrokes for other online accounting that I perform.

NCSoft asked me to run "HiJackThis". I did. They suggested that; O4 - HKCU..Run: [Display Driver] C:DOCUME~1ADMINI~1LOCALS~1Tempdispdrv.exe was a possible virus or keylogger. I removed it twice, but it continues to load itself. I only assume it loads itslef back up, because when I run HiJackThis, it appears again. Does ANYONE recognize anything here that may be of concern.

I truly appreciate any and all feedback. Thank in advance. thumbup2.gif

ChaiVat





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:52:20 AM, on 5/4/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSSysWOW64svchost.exe
C:Program Files (x86)ASUSAsSysCtrlService1.00.00AsSysCtrlService.exe
C:Program Files (x86)Javajre6binjqs.exe
C:Program Files (x86)GoogleUpdateGoogleUpdate.exe
C:Program Files (x86)Common FilesNeroNero BackItUp 4NBService.exe
C:WINDOWSSysWOW64PnkBstrA.exe
C:WINDOWSSysWOW64PnkBstrB.exe
C:Program Files (x86)PhotodexProShowGoldScsiAccess.exe
C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:Program Files (x86)IObitAdvanced SystemCare 3AWC.exe
C:Program Files (x86)DAEMON Tools LiteDTLite.exe
C:Program Files (x86)Spybot - Search & DestroyTeaTimer.exe
C:Program Files (x86)iTeleportiTeleport ConnectiTeleportConnect.exe
C:Program FilesASUSAi SuiteAiNapAiNap.exe
C:Program FilesASUSAi SuiteCPU Level UPExCpuLevelUp.exe
C:Program Files (x86)ASUSAI Direct LinkAsShare.exe
C:Program FilesLogitechSetPointx86SetPoint32.exe
C:Program FilesASUSTurboVTurboV.exe
C:Program FilesASUSSix EngineSixEngine.exe
C:Program Files (x86)n52ten52teHid.exe
C:Program Files (x86)Analog DevicesCoresmax4pnp.exe
C:Program Files (x86)Javajre6binjusched.exe
C:Program Files (x86)Common FilesRealUpdate_OBrealsched.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:Program Files (x86)n52ten52teTra.exe
C:Program Files (x86)Mozilla Firefoxfirefox.exe
C:Program Files (x86)Javajre6binjucheck.exe
C:Program Files (x86)Trend MicroHijackThisHiJackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://update.microsoft.com/
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:Documents and SettingsAdministratorLocal SettingsApplication DataCyberDefendercdmyidd.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program Files (x86)RealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~2SPYBOT~1SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program Files (x86)Microsoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:Documents and SettingsAdministratorLocal SettingsApplication DataCyberDefendercdmyidd.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program Files (x86)Javajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:Documents and SettingsAdministratorLocal SettingsApplication DataCyberDefendercdmyidd.dll
O4 - HKLM..Run: [Ai Nap] "C:Program FilesASUSAi SuiteAiNapAiNap.exe"
O4 - HKLM..Run: [QFan Help] "C:Program FilesASUSAi SuiteQFan3QFanHelp.exe"
O4 - HKLM..Run: [Cpu Level Up] "C:Program FilesASUSAi SuiteCPU Level UPExCpuLevelUp.exe" -r
O4 - HKLM..Run: [Launch Direct Link] "C:Program Files (x86)ASUSAI Direct LinkAsShare.exe"
O4 - HKLM..Run: [Launch As Cmd Runner] "C:Program Files (x86)ASUSAI Direct LinkAsCmd.exe" -reg
O4 - HKLM..Run: [TurboV] "C:Program FilesASUSTurboVTurboV.exe"
O4 - HKLM..Run: [Six Engine] "C:Program FilesASUSSix EngineSixEngine.exe" -r
O4 - HKLM..Run: [Jomantha] "C:Program Files (x86)n52ten52teHid.exe"
O4 - HKLM..Run: [GrooveMonitor] "C:Program Files (x86)Microsoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [SoundMAXPnP] C:Program Files (x86)Analog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [SoundMAX] "C:Program Files (x86)Analog DevicesSoundMAXSmax4.exe" /tray
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program Files (x86)Javajre6binjusched.exe"
O4 - HKLM..Run: [TweakIt Help] "C:Program FilesASUSTweakItTweakIt.exe" -r
O4 - HKLM..Run: [JMB36X IDE Setup] C:WINDOWSRaidToolxInsIDE.exe
O4 - HKLM..Run: [TkBellExe] "C:Program Files (x86)Common FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program Files (x86)AdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe"
O4 - HKCU..Run: [igndlm.exe] C:Program Files (x86)Download ManagerDLM.exe /windowsstart /startifwork
O4 - HKCU..Run: [Pando Media Booster] C:Program Files (x86)Pando NetworksMedia BoosterPMB.exe
O4 - HKCU..Run: [Advanced SystemCare 3] "C:Program Files (x86)IObitAdvanced SystemCare 3AWC.exe" /startup
O4 - HKCU..Run: [DAEMON Tools Lite] "C:Program Files (x86)DAEMON Tools LiteDTLite.exe" -autorun
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program Files (x86)Spybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [iTeleportConnect] "C:Program Files (x86)iTeleportiTeleport ConnectiTeleportConnect.exe" -autostart
O4 - HKCU..Run: [Display Driver] C:DOCUME~1ADMINI~1LOCALS~1Tempdispdrv.exe
O4 - HKUSS-1-5-19..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:WINDOWSsystem32GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~2SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~2SPYBOT~1SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://service.futuremark.com/virtualmark/tc/FMSI.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program Files (x86)Microsoft OfficeOffice12GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSSysWOW64browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSSysWOW64browseui.dll
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:Program Files (x86)ASUSAsSysCtrlService1.00.00AsSysCtrlService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:WINDOWSSystem32dmadmin.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program Files (x86)Common FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca88045c88aa2c) (gupdate1ca88045c88aa2c) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program Files (x86)GoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:WINDOWSSystem32lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program Files (x86)Common FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:WINDOWSsystem32imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program Files (x86)Javajre6binjqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:Program Files (x86)Common FilesNeroNero BackItUp 4NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:WINDOWSsystem32lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:WINDOWSsystem32GameMon.des.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:WINDOWSsystem32lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:WINDOWSsystem32nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:WINDOWSsystem32services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:WINDOWSsystem32PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:WINDOWSsystem32PnkBstrB.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:WINDOWSsystem32lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:WINDOWSsystem32lsass.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:Program Files (x86)PhotodexProShowGoldScsiAccess.exe
O23 - Service: Windows Service Pack Installer update service (spupdsvc) - Unknown owner - C:WINDOWSsystem32spupdsvc.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:WINDOWSSystem32vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:WINDOWSsystem32wbemwmiapsrv.exe (file missing)
O23 - Service: Windows Search (WSearch) - Unknown owner - C:WINDOWSsystem32SearchIndexer.exe (file missing)

--
End of file - 11511 bytes

I may have posted too hastily. My post may be in the wrong spot. I apologize admins.
I have to read forum rules first....duh

Chaivat

Edit: Merged apology reply with log post so that malware queue shows zero replies, then moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:26 AM

Posted 06 May 2010 - 11:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 ChaiVat

ChaiVat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 May 2010 - 09:11 PM

DDS does not support my operating system.

Regarding "my problems", it has been pointed out to me by "gmail" prompts that someone from China has even logged into my gmail account, as early as about 6 hrs ago. Previous to that bit of knowledge, I have completely lost everything on my Lineage2 (MMORPG game) account (gear etc). I suspect a "keylogger" by someone in China, that then logged into my game account to sell my items and then sell "adena (game currency) to people that purchase "game currency".

What concerns me, is the possibility that "these hackers" may get and or record my password keystrokes for my banking that we do online sometimes.

I cannot seem to find any software to remove what seems to be "suspicious" on my PC. I say suspicious because this place http://hjt.networktechs.com/ allows you to paste your "HighJackThis" saved log into their web page, then it "parses" it and tells you what should be removed. I follow the steps and "check" the questionable entries (in safe mode) and yet the entries re-appear when I reboot and do another HJT scan.

I don't know what to do...

Current HJT Log as of today:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:10:58 PM, on 5/6/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\iTeleport\iTeleport Connect\iTeleportConnect.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\CPU Level UPEx\CpuLevelUp.exe
C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe
C:\Program Files\ASUS\TurboV\TurboV.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files (x86)\n52te\n52teHid.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up] "C:\Program Files\ASUS\Ai Suite\CPU Level UPEx\CpuLevelUp.exe" -r
O4 - HKLM\..\Run: [Launch Direct Link] "C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe"
O4 - HKLM\..\Run: [Launch As Cmd Runner] "C:\Program Files (x86)\ASUS\AI Direct Link\AsCmd.exe" -reg
O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [Jomantha] "C:\Program Files (x86)\n52te\n52teHid.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TweakIt Help] "C:\Program Files\ASUS\TweakIt\TweakIt.exe" -r
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [iTeleportConnect] "C:\Program Files (x86)\iTeleport\iTeleport Connect\iTeleportConnect.exe" -autostart
O4 - HKCU\..\Run: [Display Driver] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dispdrv.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://service.futuremark.com/virtualmark/tc/FMSI.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Google Update Service (gupdate1ca88045c88aa2c) (gupdate1ca88045c88aa2c) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Windows Service Pack Installer update service (spupdsvc) - Unknown owner - C:\WINDOWS\system32\spupdsvc.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Windows Search (WSearch) - Unknown owner - C:\WINDOWS\system32\SearchIndexer.exe (file missing)

--
End of file - 8356 bytes


#4 ChaiVat

ChaiVat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 May 2010 - 09:28 PM

Well, this website http://www.2-spyware.com/htanalyze.php also parses the HighJackThis log files and suggests that NOTHING is wrong and everything is legit now, as of my last scan posted above. maybe I'm all good now?

Hmmm

Edited by ChaiVat, 06 May 2010 - 09:28 PM.


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:26 AM

Posted 08 May 2010 - 06:27 AM

Hijackthis is out of date. The log can be clean and you are still infected, this means nothing. If you wanna be safe, we have to look deeper.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:26 AM

Posted 11 May 2010 - 11:09 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users