lately also added avg free virus
never had a problem with spyware/torjan/keylogger before but last week i allowed my parent to use my computer while i was out and 2 days ago, my world of warcraft account was hacked with username changed and character mid transfer before i stopped it with their service. I am positive i saw an e-mail in my google account concerning password change, and later could not find it, so i am positive they had access to my e-mail address also. and was deleting the red-flag e-mails, i have did a quick scan with avg and spybot with no result, i then changed my password and from then on used onscreen keyboard to input my passwords. however earlier today i noticed i got hacked again on my world of warcraft account with the new password (password was changed without my knowledge), (i did entered it once with keyboard) and i have recently changed the password again and changed my e-mail account pass/recovery pass with a different clean computer, i tried to look over the processes myself but alas am not well educated enough to find anything. so now i am going along with the steps. below is the log.
here is my netstat - an log for what it's worth
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\xsnipersgox>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3260 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3261 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10080 127.0.0.1:51404 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51408 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51410 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51412 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51413 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51415 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51418 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51420 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51421 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51424 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51426 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51428 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51430 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51432 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51438 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51440 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51442 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51443 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51444 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51448 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51450 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51452 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51454 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51456 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51465 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51467 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51468 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51471 ESTABLISHED
TCP 127.0.0.1:10080 127.0.0.1:51473 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51475 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51477 TIME_WAIT
TCP 127.0.0.1:10080 127.0.0.1:51479 TIME_WAIT
TCP 127.0.0.1:13128 0.0.0.0:0 LISTENING
TCP 127.0.0.1:18080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:49174 ESTABLISHED
TCP 127.0.0.1:49174 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:51404 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51408 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51421 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51428 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51438 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51440 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51442 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51443 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51444 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51448 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51450 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51459 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51461 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51463 127.0.0.1:10080 TIME_WAIT
TCP 127.0.0.1:51465 127.0.0.1:10080 ESTABLISHED
TCP 127.0.0.1:51471 127.0.0.1:10080 ESTABLISHED
TCP 192.168.1.111:139 0.0.0.0:0 LISTENING
TCP 192.168.1.111:51405 74.125.157.139:80 ESTABLISHED
TCP 192.168.1.111:51409 74.125.159.133:80 ESTABLISHED
TCP 192.168.1.111:51423 74.125.159.139:80 ESTABLISHED
TCP 192.168.1.111:51429 12.20.40.89:80 ESTABLISHED
TCP 192.168.1.111:51437 74.125.47.106:80 TIME_WAIT
TCP 192.168.1.111:51439 74.125.65.101:80 ESTABLISHED
TCP 192.168.1.111:51441 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51445 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51446 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51447 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51449 65.54.166.122:80 ESTABLISHED
TCP 192.168.1.111:51451 65.55.98.41:80 ESTABLISHED
TCP 192.168.1.111:51458 65.54.166.122:443 ESTABLISHED
TCP 192.168.1.111:51464 132.203.239.16:80 TIME_WAIT
TCP 192.168.1.111:51466 132.203.239.16:80 ESTABLISHED
TCP 192.168.1.111:51472 12.20.40.80:80 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:49152 *:*
UDP 0.0.0.0:49154 *:*
UDP 0.0.0.0:51927 *:*
UDP 0.0.0.0:65204 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:59152 *:*
UDP 192.168.1.111:137 *:*
UDP 192.168.1.111:138 *:*
UDP 192.168.1.111:1900 *:*
UDP 192.168.1.111:5353 *:*
UDP 192.168.1.111:59151 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:5355 *:*
UDP [::]:49153 *:*
UDP [::]:49155 *:*
UDP [::1]:1900 *:*
UDP [::1]:59149 *:*
UDP [fe80::20c1:68e:9c63:5bdc%12]:1900 *:*
UDP [fe80::20c1:68e:9c63:5bdc%12]:59150 *:*
UDP [fe80::54a2:9da3:8d59:2bd2%11]:1900 *:*
UDP [fe80::54a2:9da3:8d59:2bd2%11]:59146 *:*
UDP [fe80::6920:94fa:d876:acd2%8]:1900 *:*
UDP [fe80::6920:94fa:d876:acd2%8]:59148 *:*
UDP [fe80::ec7c:a18e:b89e:6bfc%10]:1900 *:*
UDP [fe80::ec7c:a18e:b89e:6bfc%10]:59147 *:*
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:10 PM, on 9/26/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP Laser Gaming Mouse with VoodooDNA\hid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [DirectMessenger] "C:\Program Files\ASUS\ASUS Direct Console\LCMP.EXE"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP VoodooDNA Mouse] "C:\Program Files\HP Laser Gaming Mouse with VoodooDNA\hid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] C:\Users\xsnipersgox\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled
O4 - Startup: SolidWorks Task Scheduler Engine.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Citrix XenApp.lnk.disabled
O4 - Global Startup: MultiFrame.lnk.disabled
O4 - Global Startup: SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9b65fdc7dfe1e) (gupdate1c9b65fdc7dfe1e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - D:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - D:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10026 bytes