tracing a hacker and deleting trojans ?

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
my system has been hacked since i created a Facebook account and i am missing over 10 Gig of hard drive space which i cant access, and cant see what the missing space is filled with.

my C drive is 20 Gig , there is only 9 Gig of windows files on it , but windows says that drive has no free space , therefore something invisible has filled 10 gig of space on the drive.

i cant make those files visible , AVG , HJT , counterspy ,adaware ,Malwarebytes anti-malware , A-squared Anti-Malware and Eset all say the drive is clean.

the computer has become very slow , my outlook email goes crazy and something is uploading information from my comp .
When i had the Facebook page , all my friends started getting spam which appeared to be from me , and then their email and hotmail also got compromised and infected, i only regained control of my email by deleting my facebook page and changing my email passwords.



I want help to trace who and where the hacker is before i clean my computer of this rubbish.


Help !
 
Joined
Mar 5, 2009
Messages
824
Please post the hijack this log here, if anything is found, I would ask a person authorized to deal with malware to help you cope with this problem.
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
Scan saved at 10:07:51 PM, on 13/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\apps install 3\OpwareSE2.exe
E:\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\apps install 3\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
E:\apps install 3\firefox.exe
E:\apps install 4\a-squared Anti-Malware\a2service.exe
E:\apps install 4\a-squared Anti-Malware\a2wizard.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\apps zipped\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - E:\apps install 1\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\apps install 1\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [OpwareSE2] "E:\apps install 3\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [a-squared] "E:\apps install 4\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = E:\apps install 4\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\apps install 3\WZQKPICK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - E:\apps install 4\a-squared Anti-Malware\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6948 bytes
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I would love to know what shows as infected in the logs


Download to Desktop: DDS by sUBs from one of these locations:

http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

it will do a quick scan automatically, when that finishes,

select the rootkit tab & press scan

when it has finished press copy & post back the log it makes

lets see if they show any signs of infection, but I honestly can't see anything in the HJT log
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 18/03/2009 11:01:17 AM
System Uptime: 6/12/2009 11:46:15 PM (-4212 hours ago)

Motherboard: ASUSTeK Computer Inc. | | A8V Deluxe
Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1802/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 21 GiB total, 2.576 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 68.985 GiB free.
E: is FIXED (NTFS) - 21 GiB total, 12.13 GiB free.
F: is FIXED (NTFS) - 32 GiB total, 31.478 GiB free.
G: is Removable
H: is Removable
I: is CDROM ()
J: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&4070
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&4070
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&4870
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&4870
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&5070
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&5070
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&5870
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&5870
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&6070
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&6070
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&6870
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&6870
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&7070
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&7070
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&7870
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7130&SUBSYS_00001131&REV_01\4&68889E5&0&7870
Service:

==== System Restore Points ===================

RP96: 4/06/2009 2:41:16 PM - System Checkpoint
RP97: 6/06/2009 1:09:28 AM - System Checkpoint
RP98: 7/06/2009 1:34:19 AM - System Checkpoint
RP99: 9/06/2009 1:51:05 AM - System Checkpoint
RP100: 10/06/2009 12:05:22 PM - System Checkpoint
RP101: 12/06/2009 9:45:35 AM - Avg8 Update
RP102: 12/06/2009 9:47:21 AM - Avg8 Update
RP103: 12/06/2009 11:43:19 PM - Installed CounterSpy.
RP104: 13/06/2009 8:41:39 PM - Removed CounterSpy.

==== Installed Programs ======================

a-squared Anti-Malware 4.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ATI Display Driver
AVG Free 8.5
Canon MP Navigator 2.2
Canon MP830
Canon Utilities Easy-PhotoPrint
CD-LabelPrint
Create Your Own
Critical Update for Windows Media Player 11 (KB959772)
e-Record 6
Easy-WebPrint
ESET Online Scanner v3
FileNet Desktop eForms
Foxit Reader
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Instant Estimator v2.0
Java(TM) 6 Update 13
LightScribe 1.4.142.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
OLYMPUS CAMEDIA Master 4.2
OpenOffice.org 2.4
Outlook Express Backup Genie v2.0
Presto! PageManager 7.15.11
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
The Bourse 6.9.2
TurboCAD Professional 14
TurboCAD Symbols
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Integrated Setup Wizard
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinZip 11.1

==== Event Viewer Messages From Past Week ========

8/06/2009 3:09:32 PM, error: ati2mtag [45062] - CRT invalid display type

==== End Of File ===========================
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
DDS (Ver_09-05-14.01) - NTFSx86
Run by mark at 11:26:59.42 on Sun 14/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.334 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\apps install 3\OpwareSE2.exe
E:\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\apps install 3\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
E:\apps install 3\firefox.exe
E:\APPS INSTALL 4\A-SQUARED ANTI-MALWARE\a2guard.exe
E:\apps install 4\a-squared Anti-Malware\a2service.exe
C:\Documents and Settings\mark\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - e:\apps install 1\easy-webprint\EWPBrowseLoader.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - e:\apps install 1\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [OpwareSE2] "e:\apps install 3\OpwareSE2.exe"
mRun: [QuickTime Task] "E:\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [a-squared] "e:\apps install 4\a-squared anti-malware\a2guard.exe" /d=60
mRunOnce: [Malwarebytes' Anti-Malware] e:\apps install 2\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mark\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - e:\apps install 4\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - e:\apps install 3\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\xt20pbu9.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: e:\apps install 3\plugins\npOGAPlugin.dll
FF - plugin: e:\plugins\npqtplugin.dll
FF - plugin: e:\plugins\npqtplugin2.dll
FF - plugin: e:\plugins\npqtplugin3.dll
FF - plugin: e:\plugins\npqtplugin4.dll
FF - plugin: e:\plugins\npqtplugin5.dll
FF - plugin: e:\plugins\npqtplugin6.dll
FF - plugin: e:\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-3-18 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-21 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-21 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-21 108552]
R2 a2AntiMalware;a-squared Anti-Malware Service;e:\apps install 4\a-squared anti-malware\a2service.exe [2009-6-13 718880]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-21 298776]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]

=============== Created Last 30 ================

2009-06-13 22:37 <DIR> --d----- c:\docume~1\mark\applic~1\Malwarebytes
2009-06-13 22:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 22:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-13 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-13 00:22 <DIR> --d----- c:\program files\ESET
2009-06-12 23:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-06-12 09:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-05-24 22:35 69 a------- c:\windows\NeroDigital.ini
2009-05-21 00:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 00:57 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-21 00:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-21 00:56 <DIR> --d----- c:\docume~1\mark\applic~1\AVGTOOLBAR
2009-05-21 00:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

2009-04-06 13:55 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-02 21:20 5,058 a------- c:\windows\help\hhcolreg.dat
2009-03-28 00:42 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-19 11:23 1,409 a------- c:\windows\fonts\NOTEHNBI.FOT
2009-03-18 09:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 11:27:56.03 ===============
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-14 12:06:12
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Outlook Express\msimn.exe[280] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01F50001
.text C:\WINDOWS\system32\SearchIndexer.exe[1040] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B10001
.text E:\apps install 4\a-squared Anti-Malware\a2service.exe[2180] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text E:\apps install 4\a-squared Anti-Malware\a2service.exe[2180] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 00454935 E:\apps install 4\a-squared Anti-Malware\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\system32\SearchFilterHost.exe[2336] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jucheck.exe[2472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01960001
.text C:\WINDOWS\system32\wuauclt.exe[2540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001
.text C:\WINDOWS\SOUNDMAN.EXE[2576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001
.text E:\apps install 3\OpwareSE2.exe[2592] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B90001
.text E:\qttask.exe[2600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text ...
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[2708] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\VIA\RAID\raid_tool.exe[2748] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010B0001
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E10001
.text E:\apps install 3\WZQKPICK.EXE[2784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FC0001
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[2820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D80001
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[2828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04E60001
.text C:\Documents and Settings\mark\Desktop\qhsepvx2.exe[3148] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\SearchProtocolHost.exe[3492] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text E:\apps install 3\firefox.exe[3864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B40001
.text E:\apps install 3\firefox.exe[3864] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???)?)???????????????????????????????????????n???????????y???F?G?F??base???????)#???? ???????)?????)????????????????????v???????????????????????????????????????????????????????????????LegacyDriver?3???=?=?=?=?=?=?=?)?)?).d??NOEXECUTE=OPTIN FASTDETECT?????????????????????????????Base?&?????)???)????? ???????)????????????????????????????#???????(??<???)???)???;?:?;?????=???=???=?????????3??????????????14??PlugPlay??????X??>???.????h???????????????????????????????????????????????es???????)#???? ???????)?????)????????????????????&???????????????????????????????ce??? ???????)?????)????????????????\???X????????????????????????????????????????????????? ??)???6??????SBRE????multi(0)disk(0)rdisk(0)partition(1)??????3??? ???????)?????)??????????$???????????#??????? ??)???5??p????????;?;?;?;?;????H??)???????????????????????.??????????????????????????????????s????$?(?)?(?)?)???????)#???? ???????)???????????????????? ???????????????s????????????????????r?????)???????)??????????????CanonMP830????????????????????e????????

---- EOF - GMER 1.0.15 ----
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
thanks for help so far , GMER shows nothing.

so what is occupying the missing 10 Gig of HDD partition........

and does this mean the person who had hacked my computer and email account has now ceased doing so ....... or does it mean the method they use is too sophisticated to find ?

would a hacker remove exploit applications from my computer when they are finished spoofing off my email account and uploading business documents from my PC ?

i never saw a thief do housework before

what do you think ??

thanks for assistance
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I can see no sign of any malware there at all

Please download ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser as well as Internet Explorer or instead of it then also do this step

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser as well as Internet Explorer or instead of it then also do this step

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.


Notes for Windows Vista users:

On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As the author is not not sure the effects that emptying prefetch on Windows Vista will have, for the time being that function won't be enabled
 

upsidexxx

Thread Starter
Joined
Apr 20, 2001
Messages
103
thanks but none of that worked

i can only assume it is not an amateur hacker

i wont assume anything .

the conspiaracy theorists might suggest that we cant even discuss environmental conservation on the net these days without big brother taking an interest .
.
.
. :)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
i think in this case the safest thing to do is format & reload windows from scratch
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top