hijacked...virus...what?

[raven955i]

Not sure if this is the best place to post but if not i am sure you will let me know.
My father-in-law opened up his email (earthlink) the other day to find his entire inbox deleted. He called the help desk and they told him his acct had been hijacked. but could not really give him any further info. He does not use any other email acct. The only one on his computer is Outlook and there is nothing there either. I have run AVG, ADAware, Spybot all in safe mode and found nothing. I also ran Hijackthis and here is the report. Can anyone see if there is anything odd: Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:57 PM, on 1/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188922927453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1251312111078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

--
End of file - 5675 bytes

[raven955i]

Nihil, I found another of your posts with a link to hijackthis.de
great website...everything came back as safe.
maybe he messed around with the settings and his email, or spyware, or etc. is set to delete all messages after being read. i will check that once i get home tonight.

[The-Spec]

Go through the accounts and the policy editor then get rid of all those toolbars and antiviral software. Shesh... have some self respect, man.

[westin]

I love toolbars. Here is a screenshot of my browser.

[wiskic10_4]

raven955i -

How does earthlink know his account was "hijacked"? He told you that in those exact words? Maybe the earthlink tech was just lazy and didn't know what else to tell him when he found his inbox deleted but insisted that he didn't do it. Could he have let his password out? Has he changed it since? If not, have him do so.

Usually if you've hijacked someones email account you'd be looking for useful information or as a means of sending out phishing emails, etc. You would want to go undetected, not delete the inbox... Is there anything in his trash folder? It's very possible that he deleted his own stuff by accident. Was it anything important? I delete everything in my inbox on a regular basis - usually upon entry.

westin -

That's friggin' hilarious. Sadly, I've worked on some puters where the browser actually looked like that. Usually on the work order: "Help! Browser running slow! I think I got a virus!" Of course, the system tray goes all the way to the start button, the start menu takes up the whole screen and then some and the desktop is full of miscellaneous icons that came from god knows where. =|

[ByTeWrangler]

I would get rid of AVG. Use some other AV. Get rid of all toolbars and if possible use alternative browser (anything but IE and if you *must* use IE please upgrade to version 8 with all patches). Update all your microsoft patches to latest level, ensure you have original copy of windows, firewall (get something [outpost is good]) and AV. If you are looking for *free* version of AV get - http://www.microsoft.com/Security_Essentials/ - Make sure you download from Microsoft.com only!

[raven955i]

Thanks for the info. I have changed his password (his previous one was password if you can belive it.) He insists that he had not deleted anything. I checked his acct and nothing seems out of the ordinary. No new accts created, etc. nothing is the trash file.
that is the exact words that the nice lady in India told him. that his acct had prolly been hacked.
TeW...i will absolutely cleanse his system of AVG. thinking of putting in Avast. I have had good results from it.
It is kinda funny. He has been having these problems ever since Firefox was loaded onto his laptop. Which is even funnier, because i switched over to Firefox when IE was starting to run a little slow and now I have browser pages not loading issues.
I wonder if the two are related. not sure how but makes you wonder...
Len

[ByTeWrangler]

Don't go for Avast please. If you are willing to pay then choose Kaspersky or Symantec (i prefer Kaspersky). If you want something free please go for the microsoft AV, it better then AVG and avast.

Update, Update and Update - Everything on your machine and the OS itself.


Run a online scan at housecall.trendmicro.com once you're done with everything just to be sure.

[raven955i]

Just as an update ( i hate open ended posts)...

I changed his password, scoured his system, updated all his stuff, etc. It now seems to be working fine. He is now getting his emails and they are not going anywhere. I did turn off his empty trash bin automatically option in case he did deleted them by accident.
I did get a few spam email returns when his email came back up. Different names attached to his email address, that type of thing. All of them seemed to originate in Korea. I think all the blocks, etc were keeping that contained but i will continue to monitor it.
I got my system back up and running also. I had to reload IE (some websites in the house will not load on Opera, etc.). but all is working well now. No more issues with pages not loading etc.
thanks for all the help. :thumbsup

Len

[wiskic10_4]

I would assume, then, that his account was "hijacked" simply because his password was "password." Hopefully he's learned a lesson. If he has difficulty remembering passwords, it may be helpful to him to substitute numbers and symbols for letters, for example "password" may become "pa55w0rd" or "p@$$word" - just a thought.