Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

I need help determining if I have a keylogger or other malware

This is a discussion on I need help determining if I have a keylogger or other malware within the Resolved HJT Threads forums, part of the Tech Support Forum category. I have recently started having strange things happen with my PC and am wondering if I have a keylogger or


 
 
Thread Tools Search this Thread
Old 06-13-2010, 07:28 PM   #1
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


I have recently started having strange things happen with my PC and am wondering if I have a keylogger or other malware.

One day, when I turned my PC on, I immediately noticed there was this strange shortcut on my desktop, that was named "Delete". I like a clean desktop and do not keep any shortcuts on it at all. I moved the mouse over this shortcut and a small box popped up that read "javascript:;". This was very strange to me because I had not installed or uninstalled any software or anything that I could remember. I just left the shortcut on the desktop because I was trying to decide if it was anything I needed to worry about.

Then the other day, I started my PC again and when I tried to start my Firefox browser a window popped up on the screen.

At the top it read "Warning: Unresponsive Script"

then the message below was:

"A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: file:///E:/Program%20Files/Mozilla%20Firefox/components/nsBlocklistService.js:648"

then there was a "Don't ask me again" box to check and "Stop script" and "Continue" buttons to click. I clicked "Stop script" and Firefox then started and seemed fine. I was still concerned about these things because I haven't seen anything like it before. It made me think about some strange emails I had recently received.

In the last few weeks, I have received emails from yahoo email addresses that belong to people I know but the emails have no subject and only contain a link to an unknown website (example: hxxp://garciazaxoqu.chat.ru) I did open these emails because I recognized the email addresses but I did not click on the links because it did not seem like something anyone I know would send to me without any explanation of what the link was for. I have since received bounced emails, that I did not send out, that contain similar links. I don't know if simply opening those other emails could have infected my PC with something or not without me clicking the link.

I have F-Secure Client Security 8 anti virus/spyware and firewall software and it has not shown any viruses or spyware detected.

I downloaded and ran Spybot S&D and it did not come up with anything.

I did some googling and saw older references to problems with yahoo mail servers being hacked and peoples email accounts being compromised but the most recent post I saw was from a few months ago.

I then came here and followed the instructions for posting a problem here.

I ran dds.scr and this is the result:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 19:30:35.75 on Sun 06/13/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2431 [GMT -4:00]

AV: F-Secure Client Security 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Creative\Shared Files\CTAudSvc.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
E:\Program Files\F-Secure\Common\FSMA32.EXE
E:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\F-Secure\Anti-Virus\fssm32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
E:\Program Files\Freecorder\FLVSrvc.exe
E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\F-Secure\Common\FSLAUNCH.EXE
E:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - e:\program files\freecorder\tbFre1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - e:\program files\freecorder\tbFre1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - e:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - e:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - e:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - e:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - e:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - e:\program files\freecorder\tbFre1.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX580 Series] e:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "e:\windows\temp\E_S34C.tmp" /EF "HKCU"
uRun: [Google Update] "e:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "e:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TrueTransparency] "d:\downloads\windows xp themes\truetransparency-crystalxp.net-en-5139\truetransparency\TrueTransparency.exe"
uRun: [CTSyncU.exe] "e:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Messenger (Yahoo!)] "e:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] e:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] e:\program files\analog devices\core\smax4pnp.exe
mRun: [F-Secure Manager] "e:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "e:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [EEventManager] e:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Freecorder FLV Service] "e:\program files\freecorder\FLVSrvc.exe" /run
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "e:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CTHelper] CTHELPER.EXE
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
IE: Google Sidewiki... - e:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - e:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\program files\spybot - search & destroy\SDHelper.dll
LSP: e:\program files\f-secure\fsps\program\FSLSP.DLL
DPF: DirectAnimation Java Classes - file://e:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://e:\windows\java\classes\xmldso.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\admin\applic~1\mozilla\firefox\profiles\1xscypxb.default\
FF - component: e:\documents and settings\admin\application data\mozilla\firefox\profiles\1xscypxb.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: e:\documents and settings\admin\application data\mozilla\firefox\profiles\1xscypxb.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: e:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: e:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: e:\documents and settings\admin\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: e:\documents and settings\admin\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: e:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: e:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: e:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truee:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;e:\windows\system32\drivers\fsbts.sys [2009-2-13 33920]
R0 FSFW;F-Secure Firewall Driver;e:\windows\system32\drivers\fsdfw.sys [2009-2-13 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;e:\program files\f-secure\hips\drivers\fshs.sys [2009-2-13 66720]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;e:\program files\f-secure\anti-virus\fsgk32st.exe [2009-2-13 215648]
R3 COMMONFX.SYS;COMMONFX.SYS;e:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;e:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;e:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;e:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-2-13 113864]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 COMMONFX;COMMONFX;e:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;e:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-4-16 79360]
S3 CTAUDFX;CTAUDFX;e:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;e:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;e:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;e:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 F-Secure Network Request Broker;F-Secure Network Request Broker;e:\program files\f-secure\common\FNRB32.exe [2009-2-13 162456]
S3 FSORSPClient;F-Secure ORSP Client;e:\program files\f-secure\orsp client\fsorsp.exe [2009-2-13 55904]
S4 F-Secure Filter;F-Secure File System Filter;e:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-2-13 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;e:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-2-13 25184]

=============== Created Last 30 ================

2010-06-13 22:15:39 0 d-----w- e:\windows\system32\appmgmt

==================== Find3M ====================

2010-06-13 23:28:00 0 ----a-w- e:\windows\system32\drivers\lvuvc.hs
2010-06-13 23:27:57 0 ----a-w- e:\windows\system32\drivers\logiflt.iad
2010-04-26 13:34:18 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-04-16 13:14:58 445016 ----a-w- e:\windows\system32\wrap_oal.dll
2010-04-16 13:14:58 109144 ----a-w- e:\windows\system32\OpenAL32.dll
2010-04-05 22:05:07 499712 ----a-w- e:\windows\system32\msvcp71.dll
2010-04-05 22:05:07 348160 ----a-w- e:\windows\system32\msvcr71.dll
2010-03-18 23:19:58 43520 ----a-w- e:\windows\system32\CTBurst.dll
2010-03-18 23:19:42 11776 ----a-w- e:\windows\system32\inres.dll
2010-03-18 23:19:42 11776 ----a-w- e:\windows\INRES.DLL
2010-03-18 23:19:38 182272 ----a-w- e:\windows\system32\ctdvinst.dll
2010-03-18 23:19:36 86528 ----a-w- e:\windows\system32\ctcoinst.dll
2010-03-18 23:18:32 10752 ----a-w- e:\windows\system32\a3d.dll
2010-03-18 23:18:14 11776 ----a-w- e:\windows\system32\ac3api.dll
2010-03-18 23:07:54 51787 ----a-w- e:\windows\system32\ctdlang.dat
2010-03-18 23:07:54 386852 ----a-w- e:\windows\system32\ctdnlstr.dat
2010-03-18 23:07:18 196096 ----a-w- e:\windows\system32\ctemupia.dll
2010-03-18 23:04:06 176128 ----a-w- e:\windows\system32\ct_oal.dll
2010-03-18 23:04:04 46592 ----a-w- e:\windows\system32\ctasio.dll
2010-03-18 23:04:00 49152 ----a-w- e:\windows\system32\ctdproxy.dll
2010-03-18 23:03:22 69632 ----a-w- e:\windows\system32\ctosuser.dll
2010-03-18 23:03:20 6144 ----a-w- e:\windows\system32\sfman32.dll
2010-03-18 23:03:18 125952 ----a-w- e:\windows\system32\sfms32.dll
2010-03-18 23:03:12 13312 ----a-w- e:\windows\system32\regplib.exe
2010-03-18 23:03:10 64512 ----a-w- e:\windows\system32\piaproxy.dll
2010-03-18 23:02:14 149838 ----a-w- e:\windows\system32\ctbas2w.dat
2010-03-18 23:00:42 274587 ----a-w- e:\windows\system32\ctsbas2w.dat
2010-03-18 23:00:28 241084 ----a-w- e:\windows\system32\CTSBASW.DAT
2010-03-18 23:00:28 115166 ----a-w- e:\windows\system32\CTBASICW.DAT
2010-03-18 22:59:56 53932 ----a-w- e:\windows\system32\ctdaught.dat
2010-03-18 22:59:56 313207 ----a-w- e:\windows\system32\ctstatic.dat
2010-03-18 22:59:54 5120 ----a-w- e:\windows\system32\enlocstr.exe
2010-03-18 22:59:50 10240 ----a-w- e:\windows\system32\killapps.exe
2010-03-18 22:59:28 28672 ----a-w- e:\windows\system32\MIDIDEF.EXE
2010-03-18 22:59:26 33792 ----a-w- e:\windows\system32\devreg.dll
2010-03-07 22:02:30 16384 --sha-w- e:\windows\temp\cookies\index.dat
2010-03-07 22:02:30 16384 --sha-w- e:\windows\temp\history\history.ie5\index.dat
2010-03-07 22:02:30 16384 --sha-w- e:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:31:02.85 ===============


I have a windows xp install disk.

I don't know if there is any keylogger or other malware/viruses or not but it seems that someone has had access to my yahoo account and sent emails out and I use this PC for banking and paying bills as well so I want to make sure someone does not have the ability to get my user names and passwords.

thanks for any help you can provide.
Attached Files
File Type: zip attach.zip (3.9 KB, 19 views)
SXR is offline  
Sponsored Links
Advertisement
 
Old 06-19-2010, 01:06 PM   #2
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


BUMP Please
SXR is offline  
Old 06-19-2010, 08:36 PM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello SXR,

Have you changed the passwords to your yahoo mail yet? If not, please do so.

Regarding the script error with Firefox, that seems to be an ongoing problem and you're not alone. https://forums.mozillazine.org/viewto...f=38&t=1762475

Try uninstalling older versions of Java via the Add or Remove programs in your Control Panel as some of them have done, and see if that helps.
In your case, it would be Java(TM) 6 Update 7


In as far as the emails, I'd like for you to run this online scan and see if it picks up on anything. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 06-20-2010, 08:28 PM   #4
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


ok, I ran the Kaspersky online scanner and the results are pasted below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3, v.3264 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, June 20, 2010 03:00:26
Records in database: 4299383
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
T:\

Scan statistics:
Objects scanned: 618145
Threats found: 9
Infected objects found: 21
Suspicious objects found: 0
Scan duration: 18:26:23


File name / Threat / Threats count
D:\download\encarta\Encarta Reference Library 2009\Encarta Reference Library 2009\encarta_ref_lib_2009.iso Infected: Packed.Win32.Krap.x 1
D:\download\encarta\Encarta Reference Library 2009\Encarta Reference Library 2009\encarta_ref_lib_2009.iso Infected: Trojan-Downloader.Win32.FraudLoad.wxkt 2
D:\download\encarta\Microsoft Encarta Premium 2009\Microsoft Encarta Premium 2009\encart_premium_2009.iso Infected: Trojan-Downloader.Win32.Agent.ciqh 5
D:\Toshiba Data backup\Downloads\Adata 2GB\Magical Jellybean keyfinder\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.g 1
D:\Toshiba Data backup\Downloads\Adata 2GB\Magical Jellybean keyfinder\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 1
D:\Toshiba Data backup\Downloads\Magical Jellybean keyfinder\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.g 1
D:\Toshiba Data backup\Downloads\Magical Jellybean keyfinder\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\plugin\AUTOHELP\Files\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\plugin\AUTOHELP\Files\Tools\reatogoFile2Cmd.exe Infected: Trojan-Downloader.Win32.Banload.atoq 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\plugin\CrossPackage_Transfer\Disk\Partition\MbrFix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\plugin\CrossPackage_Transfer\Password\Benchmark\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\ReatogoPE\PROGRAMS\mbrfix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240\ReatogoPE\PROGRAMS\PassPro\PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
D:\Toshiba Data backup\Downloads\REATOGO\REATOGO-240.exe Infected: Trojan-Downloader.Win32.Banload.atoq 1
D:\Toshiba Data backup\Downloads\UBCD4WinV320.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1

Selected area has been scanned.
SXR is offline  
Old 06-20-2010, 08:42 PM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Where did you get ReaToGo from?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-20-2010, 10:39 PM   #6
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


I'm pretty sure that I just downloaded it from the Reatogo website since I just looked again and it's available to download from the site and is a relatively small file.

I downloaded it a while back though and have never used it. I was planning to try it to make a XP live cd but just never got around to it so it's just been there...

it's always shown up on my F-Secure antivirus scans as 'riskware' and I thought it was just 'false positive' stuff since I thought that was a legitimate program.
SXR is offline  
Old 06-20-2010, 10:42 PM   #7
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



As long as you downloaded it from their site, then yes - all is well and those are false detections that can safely be ignored.

Have you changed the password to your Yahoo mail yet? Are you still getting spam emails?


As a side note, do take the time to create that REATOGO boot cd. It doesn't take very long to do, and can come in handy some day.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-20-2010, 11:09 PM   #8
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


ok, I don't really see why I would've downloaded it from anywhere else since it is a small download available from their website, but I'm not 100% positive since it was a while back. I have downloaded linux distributions and other open source .iso's etc from bit torrent using vuse in the past, but not lately, and I uninstalled vuse prior to doing these scans. I guess I could just delete the reatogo stuff and download it again from the site to be sure.

I did change my yahoo password when I got the bounced emails that I had supposedly sent out. I have not gotten any more emails like that since that day. I just didn't understand how someone could have used my account to send the emails. Do you think that my system is free of any keylogger or anything since those were the only things that showed up?

I do need to make that reatogo xp live cd.. I get sidetracked with all these things.. haha.
SXR is offline  
Old 06-21-2010, 08:11 PM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



I can't tell you for certain how someone got a hold of your Yahoo password.

All I can tell you is that the logs are coming back clean. It doesn't mean that the system is clean, just that no malware is showing up in scans we've run.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-22-2010, 01:13 PM   #10
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


ok, thanks for your help.

hopefully my system is clean but it just bothers me that I don't know how someone got into my yahoo account like that... but I would think if there was a keylogger on my system they would have cleaned out my bank account by now and that hasn't happened so maybe I'm ok.
SXR is offline  
Old 06-22-2010, 09:20 PM   #11
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Quote:
In the last few weeks, I have received emails from yahoo email addresses that belong to people I know but the emails have no subject and only contain a link to an unknown website (example: hxxp://garciazaxoqu.chat.ru) I did open these emails because I recognized the email addresses but I did not click on the links because it did not seem like something anyone I know would send to me without any explanation of what the link was for.
As far as receiving yahoo emails from people you know, it may not have been a full blown keylogger on your system.

It could have started out as one or more of your friends' yahoo email acct being hacked and opening that email - even though you didn't click on the link - may have been enough for them to get a hold of your password for your yahoo acct.

Since we have no way of knowing how this began or what the true cause is/was, I would keep my eye on the bank accounts for the next month or so, or - back up important data, format the computer and do a fresh install.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-23-2010, 02:41 PM   #12
SXR
Registered Member
 
Join Date: Jan 2009
Posts: 13
OS: Windows 7 / XP SP3 dual boot

My System


ok, thanks for the help and advice.
SXR is offline  
Old 06-24-2010, 09:18 PM   #13
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:33 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts