Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mc41

37 Posts

1158

August 30th, 2007 23:00

Help with a compromised computer please.

Hi,
Our computer has been compromised. Our  credit card number was stolen and today someone accessed our ebay account and started bidding on items. I tried running our McAfee scan but it froze up. Please help us make our computer safe again. Here is our HJT log.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:15 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.compwrx.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.panicstruckpro.com
O15 - Trusted Zone: http://shop.wnd.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by140fd.bay140.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://74.62.246.240//activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E51A17AB-8F8F-4944-9B2D-22AF4E2F271B}: NameServer = 12.18.159.20,12.18.159.30
O23 - Service: McAfee Application Installer Cleanup (0091551188372136) (0091551188372136mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\009155~1.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
--
End of file - 10579 bytes

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 31st, 2007 02:00

Hello mc41,

Some problems here:
1. Your credit card info was stolen, and someone is actually using it -- not a good sign.
2. Nothing shows up in Hijackthis. Yes, we can look deeper, but just the fact that the infection is hiding means that other scanners may not be able to see all components, and I cannot be sure we will ever be able to remove all of it.

You are strongly advised to do the following immediately:
  1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.
  2. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
  3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
  4. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

  5. These infections can allow a hacker total and complete access to your computer.
    A hacker can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

    Even if we do try our best to clean things up, I cannot guarantee that we can get your computer completely clean.

    I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done already.

    Here are some informative links:
    Danger: Remote Access Trojans

    Consumers � Identity Theft

    When should I re-format? How should I reinstall?

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    Rootkits: The Obscure Hacker Attack

    Help: I Got Hacked. Now What Do I Do?

    Help: I Got Hacked. Now What Do I Do? Part II

    Microsoft Says Recovery from Malware Becoming Impossible

msgale

2 Intern

 • 

2.5K Posts

August 31st, 2007 04:00

Of cource there is another possibility - you were not hacked.  There are literally hundreds of ways that your information could be obtained.  Some are; from your snail mail, from your trash,  when you used your credit to make a purchase (not on-line).

mc41

37 Posts

August 31st, 2007 09:00

Thank you for checking the HJT log. The credit card company was pretty sure the card number was taken off the internet. We thought it had been stolen someplace else but the person in the fraud department was pretty sure it was compromised online. Then someone started using our ebay account and we feared that something was lurking in our computer. Still not being sure that isn't the case, we have done as bugbatter suggested and changed passwords for important accounts on a clean computer. I did call my bank today to notify them that we may have been compromised. We will backup our files and start from scratch just to be safe. Thanks for the extra info. I am starting to read through it to learn more.
Debby 

mc41

37 Posts

August 31st, 2007 10:00

Bugbatter, I do have a question. When I backup my files, are they safe to use? There are some files I don't want to loose. Do the hackers lurk in the system but not my program files?
Debby

zbestwun2001

4 Apprentice

 • 

8.8K Posts

August 31st, 2007 18:00

Excuse me Bugbatter...


First of all msgale has no reason to post anything concerning this problem on this board here. It is under discussion in the V&S Board. That's where msgale should have replied and he knows that.


Lastly, why speculate where the leak came from? For peace of mind just reformat.

Please know we rarely instruct ppl to do this but this is of that serious a nature.


zb1

msgale

2 Intern

 • 

2.5K Posts

August 31st, 2007 19:00

Actually this is the correct place to post.   MC41 was directed here by Ky331.  Here, Bugbatter after reviewing the HJT log said he could see nothing wrong, and since he is an expert in HJT, one conclusion that can be made is there is no malware problem, another is this is a problem is one that can not be analyzed with HJT.  Therefore other solutions need to be explored, which is why I wrote what I wrote.  PS I always though it was bad policy to work the same problem on more than one thread. 

Bugbatter

4 Apprentice

 • 

20.5K Posts

August 31st, 2007 20:00

msgale wrote:
"Bugbatter after reviewing the HJT log said he could see nothing wrong, and since he is an expert in HJT, one conclusion that can be made is there is no malware problem, another is this is a problem is one that can not be analyzed with HJT."

msgale, no, I did not say I "could see nothing wrong". I stated: "Nothing shows up in Hijackthis." In no way do I conclude that there is no malware problem. Furthermore, it is rare that we can completely analyze anything these days using only HijackThis. That is simply a starting point. IF the credit card had not been used, and we were dealing with bothersome adware or another type of spyware, we MAY have run rootkit detection tools and other diagnostic scanners, but in this case, I suggested that we go with the safest solution.

Had this been on one of the security focused forums, such as CastleCops, MalwareRemoval, SpywareInfo, SpywareWarrior, etc. I would have been in error to have told Debby anything other than what I did. Debby is free to go elsewhere for a second opinion. We try to keep the standards of this board as similar to those specialized sites as possible, and that is why we do not encourage members who have not been trained by one of the approved malware removal schools to reply in this forum. msgale, it is understood that once an analyst on the HijackThis Board has replied to a log, he will work one-to-one with the user to resolve the problem. There is a discussion thread relating to mc41's issue, on the Virus & Spyware board. We would be glad to have you join that one.
In addition to the articles posted above, this is an excellent resource for users of all levels:
Rootkits for Dummies
(Paperback)
by Larry Stevenson (Author), Nancy Altholz (Author)

--------------------------------------------------------------------------------------------

Debby, it is really best to routinely save backups while a system is healthy, as part of your regular maintenance. You cannot trust any data copied from a compromised system. You also do not know exactly how long the system has been compromised. However, perhaps you could save documents and important files to a backup CD. Label it, and set it aside someplace. If you ever find out that the leak was not from this computer, then you could use them again.
Do you not have clean copies of your programs? Even the programs that you've downloaded online can be downloaded again. If you have paid versions, many vendors will replace them if you know your registration #.

This reformat/reinstall will be time-consuming, and will not be convenient, but as zbestwun2001 mentioned above, it is for "peace of mind".

Best of luck.

Regards,
Bugbatter

Bugbatter

4 Apprentice

 • 

20.5K Posts

September 1st, 2007 00:00

I think it would be a good idea to post your issue at a forum that specializes in security such as CastleCops. One of their forums is dedicated to rootkits as well.

http://www.castlecops.com/forums.html

You will need to register. They can check logs from all your computers.

I wish you well.

mc41

37 Posts

September 1st, 2007 00:00

Thanks.
Debby

mc41

37 Posts

September 1st, 2007 00:00

I have clean copies of my programs, it's the files I have in microsoft word and my documents that I really need.
 
My credit card number was stolen possibly in May. We thought it was a one time thing that we must have clicked on. Yesterday ebay was accessed. Could it be just a one time peak at our computer? Or would you say these are the work of someone who is continuing to have access to the computer. These activities that we are aware of were over two months apart. We have a paypal account with money in it that hasn't been accessed and I have logged into it a couple of times since the card was stolen.
 
I know reformatting is a huge thing but, I don't want hackers getting my info. If I have to reformat, I will. I will loose some important info, though. 
 
We have three computers. I assumed it was the main computer but after all the "discussion", I'm wondering if the logs from the other two computers should be posted before I reformat the main computer.
Thanks
Debby

Was this post helpful?

View All

No Events found!

Top