[babblesrusso]

Someone has hijacked my Trillian/Yahoo Messenger and has done some bad things like trade one way for e-gold. I don't know what to look for and I am quite a novice when it comes to this kind of stuff.

Please help ASAP.


Logfile of HijackThis v1.99.1
Scan saved at 2:43:09 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Kris\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: KERClink.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.co....cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE0B2C76-02DA-4C0A-956F-40E3BF2D8551}: NameServer = 68.87.66.196,68.7.64.196
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Advertisements]

Please describe how you know that these problems have occurred.

Also, please

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[coachwife6]

Please describe how you know that these problems have occurred.

Also, please

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[babblesrusso]

The only reason I think someone hijacked my Trillian Yahoo Messenger is because I had several people email me back and say that they found someone to trade e-gold for paypal. However, I never did ask anyone nor do I ever ask anyone for e-gold trades. (I am a webmaster for several Paid To Read websites).



"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccleaner" = ""C:\Program Files\CCleaner\ccleaner.exe" /AUTO" ["CCleaner.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AudioDeck" = "C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 " ["VIA Technologies, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"NetLimiter" = "C:\Program Files\NetLimiter\NetLimiter.exe /s" ["LockTime"]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}" = "Shell Context Menu Handler for Application References"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}" = "Shell Context Menu Handler for Application Manifests"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "Kris" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Kris\Start Menu\Programs\Startup
"KERClink" -> shortcut to: "C:\Documents and Settings\Kris\Application Data\Microsoft\Installer\{2C39B806-5D27-4CEA-BB1D-1B09590DF669}\KERClink.exe2_EF29AA7D9AA242BBAEA77FCB8B543344.exe" ["InstallShield Software Corp."]
"Trillian" -> shortcut to: "C:\Program Files\Trillian\trillian.exe" ["Cerulean Studios"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\NetLimiter\nl_lsp.dll [null data], 01 - 05, 17
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
SSGB2 Langmon\Driver = "Ssgb2mon.dll" ["Samsung Electronics."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 24 seconds.
---------- (total run time: 67 seconds)





i cant get root revealer to save to desktop. the scan shows 1 discrepancy found:

c:\\WINDOWS\Prefetch\CMD.EXE.087B4001.pf

[coachwife6]

The only reason I think someone hijacked my Trillian Yahoo Messenger is because I had several people email me back and say that they found someone to trade e-gold for paypal. However, I never did ask anyone nor do I ever ask anyone for e-gold trades. (I am a webmaster for several Paid To Read websites).

Someone who is infected with your name in their address book may be the one to blame for that. I will look at your silent runner's log in a moment.

[coachwife6]

You look OK.

[babblesrusso]

I deleted my Trillian and my yahoo account, signed up for another account using a different id and password. Then I downloaded Trillian again and only added the people to my contact list that I know for sure are safe.

Is this what may have solved the problem I was having?

[coachwife6]

I don't know about that particular problem you are having and what causes it. But there are certain viruses which go through address books and send out emails to people in the address books. Een people you trust may still get those types of emails. Most people know or should know that that is a very common problem and shouldnn't click on the link.

[babblesrusso]

Thanks for your help.

E-gold mentioned something about keyloggers. Do you know anything about that on my computer? Is there something else that I should run?

[coachwife6]

I did a quick search on egold but didn't delve into it. Give me the exact message your friend's received and that should help.

[babblesrusso]

"Anyone have any e-gold?" was the message or something close to that. I don't have the exact wording or to whom all the hijacker IM'd but the hijacker also set up an account with my name on it so the person that got defrauded out of $200 in e-gold thought it was me.

According to e-gold, the hacker got into my account, either by keylogger or a Trojan called "Banker" that logs keystrokes when you log in to e-gold from IE. I have since started using Firefox when logging into e-gold. I have also changed alll my passwords. But it is just not e-gold that the hijacker got into. It was other Paid to Read sites and surf sites that hijacker stole from me. (I have since got them back with a bunch of hassle.)

I just want to be sure that there isn't any other information that hijacker can steal from me like my new passwords.

Let me know if there is any other information that I can help you with.

[coachwife6]

I'm going to ask for help with this one. What kind of paid-to-read sites do you work for as webmaster?

[babblesrusso]

My sites that i own are:

http://www.bikinibottomemails.com
http://www.crystal-clicks.com
http://www.gossipemails.com
http://www.view2earn.com

[coachwife6]

I'm going to take a stab in the dark....but being the webmaster of those types of sites will attract a great deal of problems with your personal accounts. Don't you have a support person in the tech. department to assist you and keep out all the nasty stuff?

[babblesrusso]

i do that myself. maybe i should have a tech person.

I also have problems with IE browser crashing on occassion. Do you know what can cause that?

[coachwife6]

Really don't know much about website hosting, etc. Might post ovr in that forum.