PDA

View Full Version : Help, Big Security problem



Vince
04-03-2011, 09:18 AM
I have being having a great deal of trouble with anything to do with passwords :horrified

One site renewed my password 7 times in 18/20 hours.

facebook is impossible. Phishing is apparently behind it.

Here is a hijack this log for you good people
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:37:45 a.m., on 4/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\Comodo\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\Tools\Avast Antivirus\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
F:\PROGRA~1\Tools\Cacheman\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe
F:\Program Files\Java\bin\jqs.exe
F:\Program Files\DiskPrograms\CD Burner XP\NMSAccessU.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYSTEM~1\WScheduler.exe
F:\Program Files\Tools\Ava Find\AvaFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
F:\Program Files\Tools\Avast Antivirus\avastUI.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Comodo\COMODO\COMODO Internet Security\cfp.exe
F:\Program Files\IObit SmartDefrag\IObit SmartDefrag.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\Program Files\Tools\TaskBar Shuffle\Taskbar Shuffle\taskbarshuffle.exe
F:\Program Files\Mouse Driver\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AZZ CARDFILE\azzCardfile\azzCardfile.exe
F:\Program Files\Chameleon Clock\ChamClock.exe
F:\Program Files\Mozilla Thunderbird\thunderbird.exe
F:\Program Files\Click-n-Type\Click-N-Type.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\SOL.EXE
C:\WINDOWS\SYSTEM32\FREECELL.EXE
C:\WINDOWS\SYSTEM32\spider.exe
C:\Program Files\Microsoft Works\WksDB.exe
C:\Program Files\Microsoft Works\MSWorks.exe
F:\Program Files\Firefox\firefox.exe
F:\Program Files\Firefox\plugin-container.exe
F:\Program Files\Password Safe\pwsafe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\MUSICMATCH\mmjb.exe
F:\Program Files\MUSICMATCH\MMDiag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.xtramsn.co.nz/0SEENNZ/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\Tools\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon Printer\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon Printer\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WScheduler] F:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AvaFind] F:\Program Files\Tools\Ava Find\AvaFind.exe /minimized
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C43 Series" /O6 "USB001" /M "Stylus C43"
O4 - HKLM\..\Run: [avast5] "F:\Program Files\Tools\Avast Antivirus\avastUI.exe" /nogui
O4 - HKLM\..\Run: [COMODO Internet Security] "F:\Program Files\Comodo\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SmartDefrag] "F:\Program Files\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C43 Series" /M "Stylus C43"
O4 - HKCU\..\Run: [Taskbar Shuffle] F:\Program Files\Tools\TaskBar Shuffle\Taskbar Shuffle\taskbarshuffle.exe
O4 - S-1-5-18 Startup: azzCardfile.lnk = F:\Program Files\AZZ CARDFILE\azzCardfile\azzCardfile.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: azzCardfile.lnk = F:\Program Files\AZZ CARDFILE\azzCardfile\azzCardfile.exe (User 'Default user')
O4 - Startup: azzCardfile.lnk = F:\Program Files\AZZ CARDFILE\azzCardfile\azzCardfile.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Mouse Driver\SetPoint\SetPoint.exe
O4 - Global Startup: Mozilla Firefox.lnk = F:\Program Files\Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = F:\Program Files\Mozilla Thunderbird\thunderbird.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon Printer\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon Printer\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon Printer\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon Printer\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\Tools\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\Tools\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradise.net.nz/
O16 - DPF: ppctlcab -
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{90BCC2C4-DC62-44C0-A260-92D849F14D8C}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\Tools\Super Spyware Remover\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - F:\Program Files\Tools\Avast Antivirus\AvastSvc.exe
O23 - Service: AVEPCOYVYOKME - Unknown owner - C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\AVEPCOYVYOKME.e xe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - F:\PROGRA~1\Tools\Cacheman\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - F:\Program Files\Comodo\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - F:\Program Files\DiskPrograms\CD Burner XP\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 11782 bytes

GameJunkie
04-03-2011, 11:30 AM
IE6 is waaay out of date, thats probably why there's been phishing, so many loopholes in IE6

get IE8 from here http://www.microsoft.com/uk/windows/internet-explorer/worldwide-sites.aspx

more info about IE6 http://en.wikipedia.org/wiki/Internet_Explorer_6#Security_problems

1101
04-03-2011, 01:53 PM
Perhaps you have or had a keylogger or other trojan on that PC ?
Have you checked the AV logs & spyware scanner logs ??

This looks really suspicious: anyone have more info ??

O23 - Service: AVEPCOYVYOKME - Unknown owner - C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\AVEPCOYVYOKME.e xe (file missing)

bot
04-03-2011, 02:01 PM
What's on drive F?
I noticed a lot of processes running from drive F.

Vince
04-03-2011, 05:09 PM
IE6 is waaay out of date, thats probably why there's been phishing, so many loopholes in IE6

get IE8 from here http://www.microsoft.com/uk/windows/internet-explorer/worldwide-sites.aspx

more info about IE6 http://en.wikipedia.org/wiki/Internet_Explorer_6#Security_problems

I use firefox.

pctek
04-03-2011, 05:18 PM
I have being having a great deal of trouble with anything to do with passwords :horrified

One site renewed my password 7 times in 18/20 hours.

facebook is impossible.

What trouble specifically. Just passwords not working or what?
What specifically with Facebook?

Vince
04-03-2011, 05:38 PM
What's on drive F?
I noticed a lot of processes running from drive F.

F is for programs. It is on a different physical disc, to spread the load.

Speedy Gonzales
04-03-2011, 06:44 PM
You can tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [SmartDefrag] "F:\Program Files\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - Global Startup: Mozilla Firefox.lnk = F:\Program Files\Firefox\firefox.exe

O4 - Global Startup: Mozilla Thunderbird.lnk = F:\Program Files\Mozilla Thunderbird\thunderbird.exe

O16 - DPF: ppctlcab -

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} -

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} -
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} -

O23 - Service: AVEPCOYVYOKME - Unknown owner - C:\DOCUME~1\VINCEN~1\LOCALS~1\Temp\AVEPCOYVYOKME.e xe (file missing)

GameJunkie
04-03-2011, 06:59 PM
I use firefox.

that may be so but you should keep it up to date nontheless

Vince
08-03-2011, 04:41 AM
that may be so but you should keep it up to date nontheless

What makes you think I don't keep my software up to date!:annoyed:
I seem to have sorted the problem, don't really know how though.
Thanks

inphinity
08-03-2011, 08:58 AM
What makes you think I don't keep my software up to date!:annoyed:


MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

I'm thinking this is what he means ;)

GameJunkie
08-03-2011, 09:00 AM
I'm thinking this is what he means ;)

thaank you

Vince
09-03-2011, 04:24 AM
I'm thinking this is what he means ;)

I upgraded to IE8 now a lot of programs don't work!

Vince
10-03-2011, 03:13 AM
I upgraded to IE8 now a lot of programs don't work!

I uninstalled ie8 and everything works again.

My computer is so up to date that the Installation Disc wont work any more. It declares itself obsolete.