Jump to content

Possible Keylogger?


Recommended Posts

Someone changed my World of Warcraft account password yesterday, and I just want to make sure that my computer isn't infected. I ran both a full computer scan and rootkit scan in AVG, and I did a full scan in Spybot: Search and Destroy. AVG didn't find anything, and Spybot only found cookies, so I thought I'd get a Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:29:57 PM, on 9/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Update\1.3.21.69\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4147 bytes

Is there anything suspect here?

Link to post
Share on other sites

  • 2 weeks later...

From MBAM:

-------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7750

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/19/2011 4:53:20 PM

mbam-log-2011-09-19 (16-53-20).txt

Scan type: Quick scan

Objects scanned: 151508

Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------------------------

From DDS:

-----------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Erik at 19:42:52 on 2011-09-19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1087 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Update\1.3.21.69\GoogleCrashHandler.exe

svchost.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\AVG\AVG10\avgchsvx.exe

C:\Program Files\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Erik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\WINDOWS\SoftwareDistribution\Download\Install\NDP40-KB2539636-x86.exe

c:\7f928870bac70c0ab4b3488c01f99c03\Setup.exe

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

c:\WINDOWS\system32\MsiExec.exe

.

============== Pseudo HJT Report ===============

.

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

uRun: [Google Update] "c:\documents and settings\erik\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246 192.168.1.1

TCP: Interfaces\{EE30A89B-A118-4F8B-9957-4813EB650E8D} : DhcpNameServer = 68.87.71.230 68.87.73.246 192.168.1.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-4-4 136832]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-09-19 23:42:43 -------- d-----w- C:\7f928870bac70c0ab4b3488c01f99c03

2011-09-19 20:51:32 -------- d-----w- c:\documents and settings\erik\application data\NVIDIA

2011-09-19 20:47:47 -------- d-----w- c:\documents and settings\erik\application data\Malwarebytes

2011-09-19 20:47:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-19 20:47:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-19 20:47:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-19 20:40:52 -------- d-----w- c:\program files\DOOM 3 and Resurrection of Evil 1.3.1 with open coop

2011-09-19 19:54:16 -------- d-----w- c:\program files\uTorrent

2011-09-19 19:53:39 -------- d-----w- c:\documents and settings\erik\local settings\application data\uTorrent

2011-09-19 19:53:39 -------- d-----w- c:\documents and settings\erik\application data\uTorrent

2011-09-04 21:21:46 388096 ----a-r- c:\documents and settings\erik\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-04 21:21:46 -------- d-----w- c:\program files\Trend Micro

2011-09-04 20:42:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-04 20:42:50 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-08-31 06:08:24 -------- d-----w- c:\windows\system32\LogFiles

2011-08-31 02:43:58 -------- d-----w- c:\program files\World of Warcraft

2011-08-31 02:43:58 -------- d-----w- c:\program files\common files\Blizzard Entertainment

2011-08-31 02:43:27 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment

2011-08-31 00:01:03 -------- d-----w- c:\program files\AVG

.

==================== Find3M ====================

.

2011-09-01 02:52:12 280276 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-09-01 02:52:12 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-09-01 02:51:54 280276 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-08-30 23:36:31 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2011-08-30 20:59:49 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2011-08-30 20:59:49 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2011-08-30 02:54:26 93568 ----a-w- c:\windows\system32\drivers\nvata.sys

2011-08-30 02:54:26 33280 ----a-w- c:\windows\system32\NVCOI.DLL

2011-08-30 02:54:26 176128 ----a-w- c:\windows\system32\nvusmb.exe

2011-08-30 02:54:26 176128 ------w- c:\windows\system32\nvuide.exe

2011-08-30 02:54:25 289792 ----a-w- c:\windows\system32\idecoins.dll

2011-08-30 02:54:25 289792 ----a-w- c:\windows\system32\idecoi.dll

2011-08-30 02:54:20 209920 ----a-w- c:\windows\system32\drivers\nvsnpu.sys

2011-08-30 02:54:20 101120 ----a-w- c:\windows\system32\drivers\nvtcp.sys

2011-08-30 02:54:19 33280 ----a-w- c:\windows\system32\nvconrmins.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 19:44:17.64 ===============

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.