Keylogger? Hunting...

Hobble · 06-18-2009, 05:14 PM

The problem is pretty simple, but I can't seem to find it...

I have recently had a password hijacked and used to get in to my 'WoW' account, all of that stuff is being sorted, but I am kinda paranoid as to how they got it in the first place and trying to make sure everything is secure. I have done so many scans... spybot, avira, ad-aware, panda active, and none of them turned up anything so I will post my logs in the hope you can find something/to make sure that the system is clean.

As a note, I have 2 computers, right now I am doing the scans to my computer I use for websites etc, my gaming machine scans I can do in a bit but I wasnt sure if you wanted 1 thread or 2.

This computer is XP, the other is Vista 64... Anyway, on with the attachments and text. Thank you for your time.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Mr Bond at 23:23:41.64 on 18/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.408 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mr Bond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [WebCam Go Plus Sti Service Application] Wcgopsvc
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\mrbond~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-29 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-18 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-1 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-12-1 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-1 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-1 52056]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R3 WCGOPHAL;WCGOPHAL;c:\windows\system32\drivers\Wcgophal.sys [2008-12-1 13576]
R3 WCGOPVID;Video Blaster WebCam Go Plus (WDM);c:\windows\system32\drivers\Wcgopvid.sys [2008-12-1 91077]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-4-29 12672]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-1 79360]

=============== Created Last 30 ================

2009-06-18 15:19 <DIR> --d----- c:\docume~1\mrbond~1\applic~1\Malwarebytes
2009-06-18 15:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 15:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-18 15:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-18 15:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 08:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-18 08:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-18 02:01 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-18 02:00 <DIR> --d----- c:\program files\Panda Security
2009-05-29 22:25 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-29 22:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-29 22:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-29 22:11 <DIR> --d----- c:\program files\Lavasoft

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 00:30 22,344 a---h--- c:\windows\system32\mlfcache.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-11 06:05 20,576 a------- c:\docume~1\mrbond~1\applic~1\GDIPFONTCACHEV1.DAT
2008-12-01 21:37 456 a------- c:\program files\INSTALL.LOG
2008-12-05 22:40 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-05 22:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-12-01 10:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120120081202\index.dat
2008-12-05 22:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2009-01-07 19:10 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2009-01-07 19:10 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-07 19:10 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 23:24:16.65 ===============

Hobble · 06-22-2009, 02:03 PM

Bump, please.

(I should also ask, for Vista 64bit, should I just do logs with Hijack This?)

Hobble · 07-20-2009, 03:54 AM

Shameless 2nd Bump, I know you ask for this not to happen, but it has been a very long time with no replies :(

Sorry.

06-22-2009, 02:03 PM	#2 (permalink)
Hobble Registered User Join Date: Jul 2006 Posts: 91 OS: Vista Ultimate 64bit	Re: Keylogger? Hunting... Bump, please. (I should also ask, for Vista 64bit, should I just do logs with Hijack This?)

07-20-2009, 03:54 AM	#3 (permalink)
Hobble Registered User Join Date: Jul 2006 Posts: 91 OS: Vista Ultimate 64bit	Re: Keylogger? Hunting... Shameless 2nd Bump, I know you ask for this not to happen, but it has been a very long time with no replies :( Sorry.