|
|
|
Possible System Compromise, Urgent Help Needed
|
|
Senior Member
|
11. July 2010 @ 18:15 |
Link to this message
|
Hi all, it has been a long time since I've posted here, I'm wondering if all the oldie-members are still around, Rav009, Darkhadou? You guys alright? Not to mention ddp, =D
Here is my problem, today I tried logging into my Gmail account, and Google said to me that my account was doing something suspicious so I had to verify it by giving my phone number, very well, so I log in after being forced to change my password and stuff, only to find lots of emails bouncing back, which I had never sent. I look in my send folder and there were dozens of emails, spam to be precise, sent using my account.
Google advised I check my computer for spyware, malware, viruses, trojans, you know; the whole shabang.
I did, I ran a Spybot SD scan, MBAM scan, and NOD32 AV scan, all returned negative. Not one piece of malware found, not even a tracking cookie.
I use Spyware Blaster, and Spybot SD's Immunization system as preventative measures, and it has worked out so far.
So my question is, if my system was not compromised, as far as I can tell, then what was? How was my account Gmail account "hacked", so to speak? How was it used to send those unsolicited mails?
Ofcourse you can't tell me 100% for sure, but theories are good, and what can I do to prevent this?
I have taken the liberty of providing a HJT Log below:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:13:43, on 11/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent 1.6.1\utorrent.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [”Torrent] "C:\Program Files\uTorrent 1.6.1\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1276809427859
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 4958 bytes
All help is appreciated, and thank you all in advance.
EDIT - Some Extra Information
I am currently running a scan using SUPERAntiSpyware to see if that brings up anything.
In the mean time I'd like to ask a question; is there any problem in using both SpywareBlaster killbit protection AND Spot SD's Immunization protection?
"He who asks is a fool for five minutes, but he who does not ask remains a fool forever." - Chinese Proverb BluRay.
This message has been edited since posting. Last time this message was edited on 11. July 2010 @ 18:55
|
|
Advertisement
|
 |
|
|
|
wiimatrix
Junior Member
|
14. July 2010 @ 17:37 |
Link to this message
|
Someone could hack your email without having spyware on your system.SpywareBlaster and Spybot - Search & Destroy work well together.I have the same set up as you with the addition of Malwarebytes anti malware.A "layered" security approach is the best way.I would update Internet explorer.
|
AfterDawn Addict
|
16. July 2010 @ 10:15 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Senior Member
|
16. July 2010 @ 19:17 |
Link to this message
|
@wiimatrix I use MBAM (Malwarebytes) too =D
@2oldGeek, hey long time no see, don't know if you remember me, but I remember you =D, you're always helpful, you gave me some firewall tips a few decades back, ha-ha, well it feels that way. Hope you're keeping good man. Your link was wikid! Thanks a bunch.
Thanks guys.
P.s. wiimatrix I don't use IE, I'm an Fx man, but even if I don't use it, do I have to update it?
"He who asks is a fool for five minutes, but he who does not ask remains a fool forever." - Chinese Proverb BluRay.
|
|
Advertisement
|
|
|
AfterDawn Addict
|
16. July 2010 @ 20:15 |
Link to this message
|
Yeah, i remember you BluRay. I'm not that Old!
Glad the link helped.
Here's a little tip: use CCleaner, go to > options > settings and check "Run CCleaner when the computer starts" - that way it will clean the bad guys out of your Temp files before they can be installed in your machine..... also goto > Cookies and protect the ones you don't want cleaned out each time. Fx saves your log in info for the sites that require it and CCleaner will save your good cookies..
good to hear from you BluRay, have a happy.
2oG
|
|
