Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting warnings about "Cylon/Zeus/Spyeye"


  • This topic is locked This topic is locked
24 replies to this topic

#1 furiouszed

furiouszed

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 14 June 2012 - 05:22 PM

I had problems five days ago with my online banking, with my bank telling me I had been denied access to my account because they had reason to believe my computer was infected. I ran as many scans as I could think of, including virus scans (AVG, Trend Micro Housecall, Panda Activescan), malware scans (mmab), registry scans (CCleaner) and others but there was no indication that I had an infection of any kind. The bank reset their system (and I changed my password) and I no longer have trouble with that, but I have noticed other things which are making me worry. Earlier today, Google Chrome stopped opening pages. I tried with IE and got blank pages there too. I rebooted my router as a matter of routine but still had problems. I tried accessing the same webpages on a laptop and typically had no trouble, leading me to believe it is my PC, rather than my internet connection that is at fault. I'm now thinking back to the warning I got from my bank and starting to worry. I have checked my "running processes" list (in Task Manager and in Spybot) and have checked the programs that are set to start automatically. This is something I do regularly and I would recognise most unwanted programs, even if I may not know how to fix them. I have noticed nothing odd. My Windows updates are all current, as are my AV and malware programs. I am posting the DDS and GMER logs as requested and I hope someone can help me, even if it's just by telling me I'm all safe and sound. Thanks in advance.

DDS
---
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by furiouszed at 22:07:31 on 2012-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.596 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Directory Opus\dopus.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Documents and Settings\furiouszed\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\SnagIt\SnagIt32.exe
C:\Program Files\FileBX\FileBX.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\furiouszed\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\furiouszed\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sn130w.snt130.mail.live.com/default.aspx
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SBCONVERT Class: {92a9acf4-9333-43ae-9698-db283326f87f} - c:\program files\speedbit video downloader\tbu26\tbcore3.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\speedbit video downloader\tbu26\grabber.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\tbu26\tbcore3.dll
uRun: [DOpus] c:\program files\directory opus\dopus.exe
uRun: [VisualTaskTips] c:\program files\visualtasktips\VisualTaskTips.exe
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [Google Update] "c:\documents and settings\furiouszed\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_2_202_235_ActiveX.exe -update activex
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [egui] "c:\program files\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\furiou~1\startm~1\programs\startup\filebo~1.lnk - c:\program files\filebx\FileBX.exe
StartupFolder: c:\docume~1\furiou~1\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\furiou~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\snagit\SnagIt32.exe
uPolicies-explorer: NoSMHelp = 01000000
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\speedbit video accelerator\SBLSP.dll
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
TCP: Interfaces\{3407FE7B-4431-4395-A970-54D00B387779} : NameServer = 62.24.199.13,62.24.199.23
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - c:\program files\directory opus\dopuslib.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2012-6-9 28552]
R0 pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\pnp680.sys [2006-6-28 37031]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2012-3-14 104160]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-3-11 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-3-11 164112]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-10-31 532224]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 ekrn;ESET Service;c:\program files\eset nod32 antivirus\ekrn.exe [2012-3-7 913144]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-3-11 931640]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~2\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~2\VideoAcceleratorService.exe -start -scm [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
.
=============== Created Last 30 ================
.
2012-06-11 18:23:58 -------- d-----w- c:\program files\ESET NOD32 Antivirus
2012-06-09 15:58:04 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2012-06-09 15:57:45 -------- d-----w- c:\program files\Panda Security
.
==================== Find3M ====================
.
2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 07:58:35 667136 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-14 22:35:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-14 22:35:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-20 19:29:52 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-04-20 19:29:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-04-19 12:44:57 369664 ----a-w- c:\windows\system32\html.iec
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 22:08:27.64 ===============

I'm unable to attatch the Attatch.txt and Ark.txt files and I don't know why. I'm clicking the "Choose File" button, selecting the file and then pressing "Attach This File" only to get the message "Error No file was selected for upload". I've now tried doing exactly the same thing but using the second "Choose File" button instead of the first and this time it appears to have worked. If not, please tell me how to send these files.

Thanks in advance for any help you can offer.

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 18 June 2012 - 05:08 PM

Greetings furiouszed and Welcome to the Forums,

You would most assuredly be experiencing performance issues while having both AVG and ESET installed and running real time protection. You need only one antivirus product on board for active protection. Any other antivirus product you wish to keep on board should be disabled and used for only an on demand scanner. I'm not even certain either of those (ESET or AVG) are capable of being disabled in total. That is, I believe both of them will want to re-claim the watch upon reboot. You should really decide which of them to keep and uninstall the other. Note though, that with ESET, the vendor does recommend that even though you may have it installed, an occasional online scan with ESET is also recommended. This is because their online scanner takes a different perspective of the system relative to ESET's default installation settings.

I also noticed you have uTorrent installed. Any one of the p2p (file sharing) software programs will eventually create issues for users from malicious programs that seem to abound where shared servers are used by anyone who wants to access them. You might also consider uninstalling your uTorrent and any file/program you downloaded using that software...to include videos/music, and any removable media where you may have stored files/programs that were downloaded from those shared servers. That is, unless you can say with absolute certainty that you know the people from whom you downloaded, and that those people are trustworthy.

Next, disable whichever antivirus product you still have running and scan with ESET Here. Check the "I Agree" box and click Next. When prompted, install the needed software to perform the scan . When it finishes with the install, click the Start button to initialize the scanner. When it's ready, you'll get a screen with two boxes unchecked by default along with the Scan button. Check Both boxes, then click the Scan button. When it completes, use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log with your next reply, along with a description of any remaining problems. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 furiouszed

furiouszed
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 18 June 2012 - 07:46 PM

Hi 1972vet,

Thanks for the reply.

Firstly, to get straight to the point, I do NOT use two anti-virus programs. I use AVG and keep it thoroughly updated at all times. The only reason I used ESET is that I wanted to use an online scanner and I knew ESET was recommended by the fixers on this site. So I scanned with it and it apparently installed itself as well. That wasn't my intention and it will be uninstalled as soon as the problems I have are fixed. I am doing a fresh ESET online scan right now but wanted to include some more info for you to look at. Firstly, the original ESET scan log (from yesterday's scan) is here:

========================================================
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=eca5016fd9f44649b2481bb04c293fbd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-06-16 04:51:49
# local_time=2012-06-16 05:51:49 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 19765158 19765158 0 0
# compatibility_mode=8204 39157077 100 92 967 8716173 0 0
# compatibility_mode=9217 16777214 75 70 19763297 39437493 0 0
# scanned=618017
# found=14
# cleaned=14
# scan_time=21728
# nod_component=V3 Build:0x30000000
G:\installs\18 mirc717.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\installs\winamp\winamp5-5-7-2943_full_emusic-7plus_en-us.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\installs\winamp\winamp5-5-8-2985_full_bundle_emusic-7plus_en-us.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\installs\winamp\winamp5-6-1-3133_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\installs\winamp\winamp5-6-2-3173_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\installs\xp powertoys\Unlocker1.9.1.exe Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\My Documents\Downloads\Orbit Video DownloaderSetup.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
K:\Orbit Video DownloaderSetup.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
K:\New Folder\unlocker1.8.8.exe Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\installs\18 mirc717.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\installs\winamp\winamp5572_full_emusic-7plus_en-us.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\installs\winamp\winamp5581_full_bundle_emusic-7plus_en-us.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\installs\winamp\winamp5613_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\installs\winamp\winamp5621_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=eca5016fd9f44649b2481bb04c293fbd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-06-17 12:07:36
# local_time=2012-06-17 01:07:36 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 19787179 19787179 0 0
# compatibility_mode=8204 39157077 100 92 22988 8738194 0 0
# compatibility_mode=9217 16777214 75 70 19785318 39459514 0 0
# scanned=618056
# found=0
# cleaned=0
# scan_time=25855
# nod_component=V3 Build:0x30000000
========================================================

I am also attaching a screenshot of the results of the previous scans with both ESET and GMER. I want to make it perfectly clear that I have NOT acted on these results, I merely performed the scans to see if they found anything my regular AVG scan had not. For the record, I am confident that the Winamp exe files are harmless. I suspect the installers probably contain optional toolbars or other 3rd party stuff that may be considered harmful and which would therefore be flagged. I am counting these as "false positives". The only thing I am unsure about is Orbit Video DownloaderSetup.exe, which I downloaded but have not yet installed.

Secondly, and far more importantly, my email account was hacked yesterday and everyone in my address book was spammed. I went online with a clean computer and changed my password but somehow the same thing seems to have happened again. I have changed my password again but am getting rather anxious about it. When I checked my email help I was told that they had detected me logging into my account from an IP address in Japan. (The fact that I had been logged in using an IP address in the UK 8 hours earlier and 2 hours later apparently did not concern them... they must think I have access to a time machine.) Anyway, I am counting this as proof positive that there is something on my machine that should NOT be here and I'm hoping something can be done about it as soon as possible. I am using the net as little as possible while the problem is here but as you can imagine, this is not easy - I need access to my online banking and specifically my email so I can keep an eye on this thread.

I've obviously had to connect to the internet with the PC in order to do the online scan but other than that I am using a laptop to keep in touch. I will be performing any actions you suggest on both machines in case the virus has spread across my network. The ESET scan that is running now is expected to take around 7 hours so I will post the result tomorrow morning. In the meantime, please let me know if any of the above is useful. I have tried to include as much info as possible as I know bumping the thread makes it take longer to get an answer.

Thanks in advance for any help you can provide. Looking forward to hearing from you as soon as you can manage.

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 19 June 2012 - 04:15 AM

I don't see your screen shot. It's neither here nor there since the ESET scan you have posted seems fair enough and the original gmer log looked fine to me. By the way, orbit video downloader should be fine. Depending where you downloaded it that is...

What do you use for an email client? Web based, native on board? When you changed your email password, you would have used a different "secure" computer to perform the action, correct? To assume you have some infection on board simply because your email was hacked is inappropriate and usually inaccurate. Most often, especially with online web based email applications, email accounts are infected via some remote hack using a script. In these cases, your email account isn't actually mounted up by the account hacker, rather it's invaded by the "bot", or script, for the purpose of sending out spam email messages promoting some agenda...usually advertisements of some sort or another.

It's not to say you don't have any infection, just to correct your line of thought...you may indeed have some infection on board but thus far, it appears fairly innocuous. Let's have a swing at it with combofix:

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 furiouszed

furiouszed
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 19 June 2012 - 08:21 AM

Hi,

I use a web-based email service and yes, as I said earlier, I changed my password with a different, "secure" machine. I even used a different WI-FI network to connect. You said "To assume you have some infection on board simply because your email was hacked is inappropriate and usually inaccurate". I agree with that but would like to point out that I did not make that assumption. My assumption that I was infected was a result of several things, primarily my bank's insistence that I could not login to online banking because they had detected a virus on the PC I was using to connect.

A few days after I was locked out of online banking, we had a call from someone asking if our computer was running slow. It appeared at the time to be the usual type of crank call intended to scare people into allowing access to their PC and/or paying for unnecessary software to fix a problem that didn't exist. On reflection, this was more than likely a follow-up call from someone who had knowingly infected my machine and was now trying to get money from me by pretending to be from Microsoft or some company that could fix the "purely coincidental" :rolleyes: problems I was suddenly having. I can't be sure exactly what he wanted as we put the phone down before he could start his second sentence.

It was shortly after this that IE and Chrome started having problems (as described in my first post) and the fact that all of these problems were only evident on one machine out of three led me to the conclusion that there was an infection of some kind on this PC. Hopefully that clarifies my train of thought.

I ran combofix (and installed the Recovery Console) as suggested and here is the log:


ComboFix 12-06-19.01 - furiouszed 19/06/2012 13:10:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1918.908 [GMT 1:00]
Running from: c:\documents and settings\furiouszed\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\FURIOU~1\LOCALS~1\Temp\sfamcc00001.dll
c:\docume~1\FURIOU~1\LOCALS~1\Temp\sfareca00001.dll
c:\documents and settings\All Users\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Cool Edit Pro 2.1 .lnk
c:\documents and settings\furiouszed\Application Data\Toolbar4
c:\documents and settings\furiouszed\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\cache\6f52dca438370b63146a128c3829cc7e
c:\documents and settings\furiouszed\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\cache\bbb9c886cf2ba534f4be36c9ba863f2f
c:\documents and settings\furiouszed\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\cache\ff41badd2fd5214390366f33db21e4df
c:\documents and settings\furiouszed\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\include_files\1492040db76ecae963b0abf19e8d00e5
c:\documents and settings\furiouszed\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\speedbit_icon0.2.png
c:\documents and settings\furiouszed\Local Settings\Temp\sfamcc00001.dll
c:\documents and settings\furiouszed\Local Settings\Temp\sfareca00001.dll
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\drivers\etc\lmhosts
H:\Autorun.inf
I:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))
.
.
2012-06-17 14:28 . 2012-06-17 14:28 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-17 09:45 . 2012-06-17 09:45 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ESET
2012-06-17 01:26 . 2012-06-17 01:26 -------- d-----w- c:\documents and settings\furiouszed\Local Settings\Application Data\ESET
2012-06-16 10:46 . 2012-06-16 10:46 -------- d-----w- c:\program files\ESET
2012-06-11 18:23 . 2012-06-12 19:20 -------- d-----w- c:\program files\ESET NOD32 Antivirus
2012-06-11 18:23 . 2012-06-11 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-06-09 15:58 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2012-06-09 15:57 . 2012-06-09 15:57 -------- d-----w- c:\program files\Panda Security
2012-06-08 20:42 . 2012-06-08 20:42 65720 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 23:33 . 2012-04-05 11:11 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 23:33 . 2011-11-01 23:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 14:19 . 2009-08-06 19:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2011-10-31 14:05 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2011-10-31 14:05 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2011-10-31 14:05 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 19:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2011-10-31 14:05 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2011-10-31 14:05 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2009-08-06 19:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 19:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 19:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2011-10-31 14:05 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2011-10-31 14:05 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 07:58 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-04 13:16 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-10-31 14:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-20 19:29 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-04-20 19:29 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-04-19 12:44 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2012-04-04 14:56 . 2011-10-31 17:57 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92A9ACF4-9333-43AE-9698-DB283326F87F}]
2012-02-04 14:00 2660016 ----a-w- c:\program files\SpeedBit Video Downloader\TBU26\tbcore3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DOpus"="c:\program files\Directory Opus\dopus.exe" [2006-08-23 5265336]
"VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2008-06-22 65536]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-07-08 196608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]
"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
.
c:\documents and settings\furiouszed\Start Menu\Programs\Startup\
FileBox eXtender.lnk - c:\program files\FileBX\FileBX.exe [2011-11-1 516096]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2011-11-3 4657048]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 5.0.lnk - c:\program files\SnagIt\SnagIt32.exe [2011-10-31 880640]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\Directory Opus\dopuslib.dll" [2006-08-22 489400]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\furiouszed\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"v:\\misc crap\\mirc\\mirc32.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\furiouszed\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 02:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 07:30 32592]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/06/2012 16:58 28552]
R0 pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\pnp680.sys [28/06/2006 00:10 37031]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [11/07/2011 02:13 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 02:14 295248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/03/2012 08:40 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/03/2012 08:40 104160]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 17:54 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [08/06/2012 21:42 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/06/2012 21:42 166840]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 07:09 192776]
R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [07/03/2012 15:40 913144]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/06/2012 21:42 976728]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 02:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 02:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [11/07/2011 02:14 16720]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:34 21520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTMGMTSERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2139871995-839522115-1003Core.job
- c:\documents and settings\furiouszed\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-06 13:07]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2139871995-839522115-1003UA.job
- c:\documents and settings\furiouszed\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-06 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sn130w.snt130.mail.live.com/default.aspx
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\program files\SpeedBit Video Accelerator\SBLSP.dll
TCP: Interfaces\{3407FE7B-4431-4395-A970-54D00B387779}: NameServer = 62.24.199.13,62.24.199.23
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-19 13:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1440)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1512)
c:\windows\system32\relog_ap.dll
c:\program files\SpeedBit Video Accelerator\SBLSP.dll
c:\program files\SpeedBit Video Accelerator\ConfigDB.dll
.
- - - - - - - > 'explorer.exe'(5620)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\VisualTaskTips\VttHooks.dll
c:\program files\FileBX\FileBXH.dll
c:\program files\Directory Opus\dopuslib.dll
c:\program files\Taskbar Shuffle\tbhookin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\msiexec.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-06-19 13:31:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-19 12:31
.
Pre-Run: 14,643,765,248 bytes free
Post-Run: 15,819,177,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - D5292A759F90F2F18F1418A433CDA4D3


You will note that Zone Alarm's firewall was not disabled, that was an oversight on my part. It didn't appear to make any difference but if you need me to scan again, please let me know.

Many thanks again for your help so far, I look forward to hearing your comments on the log and the condition of my PC.

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 19 June 2012 - 02:00 PM

Things actually look pretty good. How is it running?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 furiouszed

furiouszed
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 19 June 2012 - 04:01 PM

The computer seems to be running okay, though having said that I'm doing very little on it. I won't be comfortable using it to go online unless I've found and killed something malicious. (Finding nothing won't exactly put my mind at ease after the problems I've had.) Do you have any information on the "OpenCandy" entries in the logs below?

I'm very cautious about using the PC to visit any sites where I need to enter a password and I would be grateful for any advice you can give me to ensure there is nothing lingering on my machine. Many thanks.

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 19 June 2012 - 06:42 PM

The computer seems to be running okay, though having said that I'm doing very little on it. I won't be comfortable using it to go online unless I've found and killed something malicious. (Finding nothing won't exactly put my mind at ease after the problems I've had.) Do you have any information on the "OpenCandy" entries in the logs below?

I'm very cautious about using the PC to visit any sites where I need to enter a password and I would be grateful for any advice you can give me to ensure there is nothing lingering on my machine. Many thanks.

"We" haven't removed anything malicious...and the scans you performed, although some items were found and flagged, you had said you are confident the findings were false. That said, the system's condition seems fairly healthy considering the logs and your own observations/statements. I do have a suspicion that combofix may have removed a couple of legitimate files:
c:\docume~1\FURIOU~1\LOCALS~1\Temp\sfamcc00001.dll
c:\docume~1\FURIOU~1\LOCALS~1\Temp\sfareca00001.dll
...but while we are waiting for confirmation on that, you might be able to ascertain for yourself if your "SpeedFan" is still working. It's my opinion, those files belong to speedfan so if it's broke, we can restore those files (that is, if you haven't already done so yourself).

The "OpenCandy" stuff, I believe, comes along with DivX...at least, I know it used to. The application I believe is ad related so I would imagine that's why the deletion and considering it also wants to download and install other stuff, a/v scanners will see it as malicious. I personally wouldn't have it. I might add, there would also be some privacy concerns related with it so having it removed is not a bad move.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 19 June 2012 - 07:45 PM

...by the way, it's been confirmed that those files I mentioned which were removed by the combofix run were indeed false positives. Having already run CCleaner yourself (according to your original post) it's evident to me that those files will return so having them removed by combofix, although wasn't necessary, also has done no harm since the application will re-generate the files as needed.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 furiouszed

furiouszed
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 20 June 2012 - 10:16 AM

"We" haven't removed anything malicious...


I know we haven't. My point was that, having had problems with the PC, I would be happier if we had found a problem and fixed it. The fact that we have not found the source of the problem is why I'm still worrying.

The "OpenCandy" stuff, I believe, comes along with DivX...at least, I know it used to. The application I believe is ad related so I would imagine that's why the deletion and considering it also wants to download and install other stuff, a/v scanners will see it as malicious. I personally wouldn't have it. I might add, there would also be some privacy concerns related with it so having it removed is not a bad move.


I used to use the DivX media player about 5 years ago. I have reinstalled Windows more than once since then but have never reinstalled DivX. The only DivX components that might be on my machine are video codecs that would have been installed if a video file didn't play in Winamp. There is no DivX in my Add/Remove programs list; do you have any reason to suspect the application itself is on my machine? I agree with everything you said about it and I don't (intentionally) have it on my machine for the same reasons.

FYI, you were correct to say that the files deleted by ComboFix were part of SpeedFan. You were also correct to assume they would be restored after a reboot. SpeedFan still works fine.

The only other thing I have noticed is in my Device Manager. Looking at hidden devices displays an extra list of "Non-Plug and Play Drivers", which includes "catchme", with a yellow warning symbol on it. Is this part of ComboFix? (And will it disappear when we uninstall ComboFix?)

In conclusion, it looks like you consider the machine to be clean. If this were your own PC, would you be happy to close the case or is there another type of scan you would recommend I run to be 100% sure? I freely admit to still being troubled by my bank's insistence that I had Zeus, Cylon or Spyeye on my machine and I would hate to start surfing again while having a keylogger or other malware on my computer.

I look forward to hearing from you. Many thanks again.

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 20 June 2012 - 11:22 AM

When I said:
"We" haven't removed anything malicious..." I guess I should have qualified the statement. We haven't run any "scans" that removed anything malicious but "we" did in fact remove a huge piece of problem software. While I can't say, by itself, uTorrent is malicious, I can say many of it's users are.

uTorrent is notorious for causing malware issues for users. I wouldn't have it on my system. We did remove it but I suspect it was in use at the time you were having issues with your bank. There has been a history of vulnerabilities with uTorrent, largely due to it's popularity. Other issues with it, I've already outlined. I can imagine a remote user having accessed your system more than once, and perhaps may have been behind your email hack. These p2p programs are cesspools in my opinion...I'm not alone in that regard either. Many of us in the consumer security arena share that opinion, as does U.S. CERT.

Any time I find a user who has it on board I always let them know about the dangers. Any virus or malicious type of code you can imagine is out there...and sometimes users download and install them while looking for cracked programs, music or movies for free.

As to the open candy, it can certainly be bundled and probably is. I just don't happen to know every piece of software out there that might want to shake hands with it but I would bet there are plenty.

You asked if it were my system, would I be satisfied at this point...and I'd have to say if it WERE my system, I would make a few more changes. It isn't a fair comparison though, since you and I obviously have different tastes.

I would like to see a couple more scans though:
Please run the free online scan Here. After clicking the Start scan button, please check the box for the option Enable thorough system inspection, then click the Start button.

Just below the "Scan Options:" section, you'll see the status of what's currently processing. You will also see an in process indicator that looks like this: Posted Image
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs complained of during the scan. Copy your results so you can paste them back here on your next reply.

Next, although Secunia is an excellent "update" scanner, it does find and report ONLY out dated software for which there has been a security vulnerability reported. FileHippo offers a piece of freeware that scans for all the rest. While you'd think it's enough to have just one, I should point out, the FileHippo scanner isn't necessarily going to point out to you that certain programs have any vulnerabilities...secunia does this and more, but it also leaves a gap, such that any other out dated software is ignored.

Download FileHippo's Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top. Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings. Please remember to post back your results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 25 June 2012 - 03:33 AM

As there has been no response in nearly 120 hours, this thread will be closed for lack of feedback to prevent others from posting here. If you need continued support, please open a new thread indicating your current issue(s) and please include a link to this thread with your request so your assistant can see what has been done to date. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 furiouszed

furiouszed
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 26 June 2012 - 06:25 PM

Hi,

I was in the middle of fixing a problem on my machine with some input from 1972vet when he closed the thread before it was resolved. The last thing he asked for was the result of a Secunia scan; I tried to post this yesterday only to find the thread locked. I am starting a new thread as requested although I am not sure what anyone else will find (or look for) in this scan as 1972vet didn't tell me why he wanted me to run it. I'm not very happy that I've been hung out to dry when I have a machine that I have good reason to believe is infected. I hope someone can look at my post below, as well as the original post here http://www.bleepingcomputer.com/forums/topic457021.html/page__gopid__2737032 and give me some advice. I appreciate any replies, specifically those that can address the original Cylon/Spyeye/Zeus problem mentioned.

Many thanks :)

****************************************
Here's the result of the Secunia scan. I'm not entirely sure how useful it is, as a quick read through proved it to be quite misleading. For example, a lot of the programs which it found "installed" on my computer (Opera, Winamp 2, Windows Media Player) are not actually installed. Rather the scan has found the exe file which would install the program. Also, about 60 Windows updates were listed as missing which worried me to death. It turns out there are only about 6 but they are listed ten times each. The missing updates also seem to relate to updates for programs I don't even have installed.

Last but not least, the Adobe Flash player is causing no end of confusion. I have received several notices from Flash (which is set to auto-update) telling me that it is doing just that and yet the most current version does not appear to be installed. It's also annoying to see that Flash Player 10 is installed as well as Flash Player 11. Bad enough that the version of FP11 is not up to date, why on earth is FP10 still on my machine? I would have expected that to be uninstalled when FP11 was installed!

Anyway, take a look and see if there's anything that's of use to you. I would appreciate it if you could let me know the best way to install the most current version of Flash. It may be worth mentioning that I'm using Chrome (not IE, which is why I've not updated to IE8, though I do still download Windows updates intended to patch IE6). Chrome, as you may know, uses its own built in version of Flash which it updates itself, but it is known to cause conflicts with the Adobe version. I've had a few "Shockwave" crashes which have caused minor problems and I've yet to find a solution to this.


Detection Statistics: 25 Applications Detected in Total
13 Insecure Versions Detected
12 Patched Versions Detected

Running For: 30 Minutes, 42 Seconds

Errors with the scan: 0 Errors Detected, scan result should be correct

Status / Currently Processing: Detection completed successfully


Programs / Result: Winamp 5.x
Version Detected: 5.5.8.2985
Installed on Your System in: C:\Program Files\Winamp\winamp.exe
Status: The detected version installed on your system is 5.5.8.2985, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 5.63.

Programs / Result: Adobe Flash Player 11.x
Version Detected: 11.2.202.233 (ActiveX)
Installed on Your System in: C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash32_11_2_202_233.ocx
Status: This installation of Adobe Flash Player 11.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 11.2.202.233 (ActiveX), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 11.3.300.257 (ActiveX).

Programs / Result: Adobe Flash Player 11.x
Version Detected: 11.2.202.228 (ActiveX)
Installed on Your System in: C:\WINDOWS\SYSTEM32\Macromed\Flash\Flash32_11_2_202_228.ocx
Status: This installation of Adobe Flash Player 11.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 11.2.202.228 (ActiveX), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 11.3.300.257 (ActiveX).

Programs / Result: Adobe Flash Player 11.x
Version Detected: 11.2.202.235 (NPAPI)
Installed on Your System in: C:\DOCUME~1\FURIOU~1\LOCALS~1\Application Data\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
Status: This installation of Adobe Flash Player 11.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 11.2.202.235 (NPAPI), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 11.3.300.257 (NPAPI).

Programs / Result: Adobe Flash Player 11.x
Version Detected: 11.2.202.235 (NPAPI)
Installed on Your System in: C:\DOCUME~1\FURIOU~1\LOCALS~1\Temp\..\application data\google\Chrome\Application\19.0.1084.52\gcswf32.dll
Status: This installation of Adobe Flash Player 11.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 11.2.202.235 (NPAPI), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 11.3.300.257 (NPAPI).

Programs / Result: Adobe Flash Player 10.x
Version Detected: 10.0.32.18 (NPAPI)
Installed on Your System in: G:\installs\settings\Opera settings\program\plugins\NPSWF32.dll
Status: This installation of Adobe Flash Player 10.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 10.0.32.18 (NPAPI), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 10.3.183.16 (NPAPI).
NOT ACTUALLY INSTALLED!

Others:
Programs / Result: Microsoft Internet Explorer 6.x 6.00.2900.5512
Installed on Your System in: C:\WINDOWS\erdnt\cache\iexplore.exe
Status: This installation of Microsoft Internet Explorer 6.x is insecure and potentially exposes your system to security threats! Your system does not have all security related patches from Microsoft installed. Please see list below for details about the missing patches. Missing KB Articles: KB2699988 / KB2675157 / KB2647516 / KB2618444 / KB2586448 / KB2544521

Programs / Result: Microsoft Windows Media Player 9.x 9.00.00.2980
Installed on Your System in: G:\installs\Windows Media Player\wmplayer.exe
Status: NOT ACTUALLY INSTALLED!

Programs / Result: Opera 10.x 10.1.1844.0
Installed on Your System in: G:\installs\settings\Opera settings\opera.exe
Status: NOT ACTUALLY INSTALLED!

Programs / Result: WinAMP 2.x 2.04
Installed on Your System in: D:\jukebox\REM_JTL\WINAMP.EXE
Status: NOT ACTUALLY INSTALLED!

Edit: Merged topic with original and reopened topic at the request of Malware Helper. ~ Animal

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 27 June 2012 - 08:34 AM

To recap, I've compiled important excerpts from your postings thus far.

Excerpts From first post:
**********************

I had problems five days ago with my online banking...I had been denied access to my account because they had reason to believe my computer was infected. I ran as many scans as I could think of...but there was no indication that I had an infection of any kind.

The bank reset their system (and I changed my password) and I no longer have trouble with that...

What I found most important about what you had to say here, relative to your suspicions about having the trojan(s) Zeus/Spyeye, is that your bank was able to resolve your issue after they "reset their system". One thing I'd like to point out though, is that the malware you had concern about is one that is spread largely via drive-by downloads so you need to take care of what web sites you visit...and what you choose to download. My personal suspicion, if in fact you ever DID have any such malware on your system, is that it came via the use of the uTorrent software you had installed at the time you were having issues with your bank and email.

From second post in response to my findings/recommendations, including your usage of two antivirus programs installed running real time protection, and my warning about your usage of p2p software:
**********************

Firstly, to get straight to the point, I do NOT use two anti-virus programs. I use AVG...I knew ESET was recommended by the fixers on this site. So I scanned with it and it apparently installed itself as well...it will be uninstalled as soon as the problems I have are fixed.
...For the record, I am confident that the Winamp exe files are harmless.

Secondly...my email account was hacked yesterday...I went online with a clean computer and changed my password but somehow the same thing seems to have happened again. I have changed my password again but am getting rather anxious about it...

Fact is, you are using two anti-virus programs. My recommendation is to uninstall ESET now if you choose to keep using AVG. Using two antivirus programs actually reduces your level of protection. I might also point out, ESET does not install by itself upon using the online scanner. I tried it myself after you made that comment just to see if things may have changed there. I find no evidence of such a foisting of ESET's program. If you install it, it must be a purposeful act of your free will. One other possibility, which is what I actually suspect, is a lack of attention. I am in no way trying to make light of your situation, nor am I trying to ruffle any feathers. I simply mean to point you to the possible reason for ESET being installed on your system.

From third post:
**********************

I use a web-based email service and yes...I changed my password with a different, "secure" machine... You said "To assume you have some infection on board simply because your email was hacked is inappropriate and usually inaccurate". I agree with that but would like to point out that I did not make that assumption. My assumption that I was infected was a result of several things, primarily my bank's insistence that I could not login to online banking because they had detected a virus on the PC I was using to connect.

A few days after...we had a call from someone asking if our computer was running slow.

It was shortly after this that IE and Chrome started having problems (as described in my first post) and the fact that all of these problems were only evident on one machine out of three led me to the conclusion that there was an infection of some kind on this PC. Hopefully that clarifies my train of thought.

I ran combofix (and installed the Recovery Console) as suggested and here is the log:

My only comment here is that when you changed your password, your system was, at that time, either:
1) infected with some keylogger (as you had suspected), or
2) a remote hacker was connected at the time, or
3) your chosen password was not strong enough to avoid guessing, or
4) the machine you used to change the password wasn't as secure as you thought.

From fourth post:
**********************

The computer seems to be running okay, though having said that I'm doing very little on it. I won't be comfortable using it to go online unless I've found and killed something malicious. (Finding nothing won't exactly put my mind at ease after the problems I've had.) Do you have any information on the "OpenCandy" entries in the logs below?

I'm very cautious about using the PC to visit any sites where I need to enter a password and I would be grateful for any advice you can give me to ensure there is nothing lingering on my machine. Many thanks.

According to the combofix log, I would agree...it does seem to me that the computer should be running ok. Also, according to the ESET scan itself, the open candy seems to also have some connection with the winamp file which you said you were convinced is just fine and that you took this to be a false positive. I should point out that any suspicion of a false positive shouldn't just be passed over based on your opinion, but should be confirmed by the antivirus vendor themselves.

From fifth post:
**********************

...My point was that, having had problems with the PC, I would be happier if we had found a problem and fixed it. The fact that we have not found the source of the problem is why I'm still worrying...

The only other thing I have noticed is in my Device Manager. Looking at hidden devices displays an extra list of "Non-Plug and Play Drivers", which includes "catchme", with a yellow warning symbol on it. Is this part of ComboFix? (And will it disappear when we uninstall ComboFix?)

In conclusion, it looks like you consider the machine to be clean. If this were your own PC, would you be happy to close the case or is there another type of scan you would recommend I run to be 100% sure? I freely admit to still being troubled by my bank's insistence that I had Zeus, Cylon or Spyeye on my machine and I would hate to start surfing again while having a keylogger or other malware on my computer.

I look forward to hearing from you. Many thanks again.

As to your first point here, I believe we DID find the source of the problem...uTorrent. The Device Manager's entry regarding "catchme" is moot really. The catchme driver is from a rootkit scanner and it's presence is harmless. It does come from combofix, but it will still be there even after we uninstall combofix, having it still showing up as a grayed out entry. I assure you, it's harmless but if it still bothers you, let me know and I'll render instructions as to how you can remove the grayed out entry.

From sixth post created new thread:
**********************

I was in the middle of fixing a problem on my machine with some input from 1972vet when he closed the thread before it was resolved...
I am starting a new thread as requested although I am not sure what anyone else will find (or look for) in this scan as 1972vet didn't tell me why he wanted me to run it.

I'm not very happy that I've been hung out to dry when I have a machine that I have good reason to believe is infected. I hope someone can look at my post below, as well as the original post here http://www.bleepingcomputer.com/forums/topic457021.html/page__gopid__2737032 and give me some advice. I appreciate any replies, specifically those that can address the original Cylon/Spyeye/Zeus problem mentioned...

Anyway, take a look and see if there's anything that's of use to you. I would appreciate it if you could let me know the best way to install the most current version of Flash.

I closed the thread because I hadn't heard from you in 5 days. As to your assumption that I had not told you why I wanted you to run the secunia scan, it was in response to your last posting concern...that is, you had asked me if it were my system, what other "scan" would I perform. Running the secunia scan is what I recommended in response to that concern. I would also like to dispel the notion that you have been "hung out to dry". Even if I had not agreed to have your thread re-opened, there are throngs of other experts here who would pick up your issue in my absence.

In summary, I'd have to say that the only remaining issue seems to be your own perception of things. The scan logs indicate a relatively clean machine. Nothing seems to indicate a reason for having your email account hacked (online) except for the possibilities already outlined/detailed above. If there are any other issues, please indicate in detail what they are so we can address them. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:04 PM

Posted 01 July 2012 - 06:11 AM

Still with us furiouszed?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users