Help!!! Internet Explorer problems! New comp!! Used only for 2 weeks. Possible keylogger and virus!

Help!!! Internet Explorer problems! New comp!! Used only for 2 weeks. Possible keylogger and virus!

Hey everyone. I just bought this comp recently and seldom used it since i got it. But my brother in law was using it the other day and noticed that someone hacked into his facebook account and msn account and threatened people. He has to change his password everytime he has to log in. Also when i went to see what was going on which is possible a keylogger. I noticed that Internet Explorer kept going back to the site for Java sun mircosystems which is Java script. I believe he went on there to update the Java. Unfortunatlately this has happened and i just got the new comp. I scanned it with AVG and Eset anti- virus and Spybot search and destroy, Malware bytes Anti-Malware, and Panda active scan and clean some warnings like cookies and trackers and stuff. But still has the same problem with Internet Explorer and my brother in law's msn account and facebook. I just downloaded the new Zone alarms and might install it for one last try. I have made a Trend Mirco Hijack this file and attached it below. Possible get superantispyware and adaware.
Any other advise or programs to download? Please share.
Hoping someone will come to the rescue. =)
Thanks in advance.

Anthony



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:08 PM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VSO\ConvertX\3\ConvertXtoDvd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2160665388-2605988156-3439230702-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 10836 bytes

 

You people just aren't that bright, are you? Chances are that the cracked versions of software that you are illegally downloading is what got you guys into this mess in the first place.

 

Format your entire hard drive, reinstall windows and stay away from crack sites. Problem solved.

 

Wow you got nothing nice to say huh. I hardly used this comp and i just used that site sometimes. I usually use tucows.com or something significant. I know for a face that is not the reason why i'm having trouble with this problem hense i hardly used this comp since purchasing it. I was just looking for friendly help from this site because everyone else here are more knowledgeable in this field. I have no time for immature comments from you buddy stop being such a ETHUG. I just wanted to see if there is anyone out there who would be greatful to help me out in this situation. Just because i don't have any vast knowledge about cpu's and stuff fixing malware and viruses doesn't give you the right to call me not bright . Thanks for your 2 cents. And please can i have someone who actually has something nice to say and would be able to help me with this problem.

 

Thanks for the advise. But the problem i believe isn't because i went to that certain site to download something. I only use the computer to check my email since i purchase it and that's about it. I seldom use this comp only my brother in law has for the last couple weeks since date of purchase. Couple of days ago he noticed that he can't log into his msn messenger and hotmail and had to redo his password on that and facebook account everytime he logs on. So i figured its a keylogger. The only problem that occurs is when i try to use Internet Explorer. It just doesn't work or either just goes to the sun java site for java script. Just wondering if anyone has been in the same shoes as me and could help me out. I put down my Hijack this log so you can see what is on the comp . I ran a couple of my programs to scan the comp but still same problem. Just hope someone can help me out and fix the problem without reformatting the comp. Does the site castlecops still around or did they shutdown? This site and castle cops were always my first stop for help because of the knowledgeable members on these forums and thanks you for your consideration of your time. Thanks in advance.

 

aznrukus, this question is not for you but to others, I don't understand, you guys mentioned to stay away from crack sites which you believe got him into this sitch, in your opinions, what site, programs or downloads do you guys think got him into this problem.

 

There are at least 3 conflicting antivirus apps running... and I can see traces of spyware and a hidden ftp service proxy running, which must have been allowed or avg8 would have found it XD

typical windoze mess.. loads of junk running backgrounded with at least 5 possible browser exploit addons.

 

Thanks varnull. So what do you think i should do? for the antivirus apps? The hidden ftp service proxy running how would i be able to fix that?

My brother in law must have downloaded addons for the internet explorer and exploit addons which are 5 of them? Thanks alot for the help please let me know what i should do i'm scanning via zone alarms 8 right now. Thanks agian.

 

I hardly used the comp besides using a well knowned torrent site called demonoid. Otherwise from that my brother in law used the comp i just wanted to fix the problem for the internet explorer it's not even going onto any website on that browser. When i'm tried using the internet explorer it hardly worked or sometimes got into google but with x's everywhere. Or either it goes to the sun JAVA mircosystems aka Java site. So i used that one site to download one program Zonealarms. I'm using Mozilla at the moment. Thanks agian for the help appreciate it.

 

Format, reinstall XP, change passwords, stay away from bad places, end problem.

 

aznrukus, you really won't get any tech info from me cause I'm not smart enough to give any, but I still have a little common sense left, from what I am reading most of these people here are really not giving you much support on how to get rid of this problem besides re-formating which looks like it might be your only option.

Your problem seems two fold, more than one problem, I don't know what your brother in-law did but it sounds like he downloaded multiple problems, it seems you yourself performed some extensive checkups yourself which was good, I can't really see how much more you can do besides what these people are telling you. Most people here on AD do really know what they are talking about and I would take there advise.

Don't get to sore on some of the harsh statements, some people might actually feel you deserve this problem cause might think it's one's own stupidity that got you there even though it was not you that did it, most people have more compation than others, you'll get that on many forums but not that often on AD.

Unfortunatly your problem really looks problamatic, and you might think re-formating is a pain in the ass when in reality trying to solve this problem without re-formating might be a bigger one, reformat is what I would do, and after mostly use commom sense and stay away from problamatic sites, I know places like torrent are tempting but are known for some horrific viruses amongst others.

I know re-formating is a pain, but hey spend several hours when you got some plus time you'll also get rid of any other crap you might have in your computer, it's really a win sitch, back up all your stuff and do your thing, after it's over you'll feel much better plus have a clean machine.

 

How about what I find.. spend 14 or more hours clearing out rootkits and keyloggers and all kinds of malware only to have th machine back 2 days later with exactly the same problems.. format.. better still wipe with killdisk, then reinstall.

If you look around for a little thing called winkeyfinder 1.71 you can grab your installation key and activation off the wreck before you wipe it.. I'm not saying where to get the wpa crack.. suffice to say I use it every few days because M$ is so crap I don't believe in giving them the pleasure of charging me premium rate to activate a totally legal XP install.

Next time take the opportunity to split your drive into a couple of partitions and never keep any valuable data on the partition with windoze on it.
To transfer any data safely without having the malware go with it.. use puppylinux.. That's how I make £50 a go saving their "vital" data installing the M$ junk for people who download malware. plus you can partition the drive without leaving that chunk of (why the hell is it there anyway?.. bad partitioner??) unused space.

people know me well.. I'm actually being nice.. I have no sympathy for people who have problems because they run an inherently insecure operating system and a rubbish browser.

 

Here is a real world equivalent to your problem.
Your petunia patch is overridden with gophers. Do you spend 6 months trying to kill them one by one, or do you drop a 5oo kiloton nuke on them wiping all of them out at once. Replant and in 3 months you have a fresh petunia patch sans gophers. Just remember to install a good anti-gopher fence and don't let your petunias play in other flowerbeds where gophers dressed as dancing flowers live.
Back to reality, most people in the know keep all of their downloaded drivers, patched, programs and updates on one disk, all of their important documents, pictures, music, e-mail addresses etc backed up on another disk, so when the unthinkable does happen, everything can be reinstalled in a matter of hours. Like Varnull told you, some of the nastier bugs out there can disguise themselves very well indeed, and it may take a week of posting hijack this logs and waiting for replies to clean out everything. But, you can do as you wish, the security forum is very helpful, but remember these guys do other things than just wait for new posts to pop up.

Safer yet, switch to Linux for your browsing needs and leave viruses, trojans, and other nastiness behind.