Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Wow account hacked..Passwords being stolen


  • Please log in to reply
8 replies to this topic

#1 Aonce

Aonce

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 14 October 2009 - 04:30 AM

Hi a couple days ago my World of Warcraft account has been compromised and again tonight, iv ran numerous virus scans and found nothing
Help :l



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:31 PM, on 10/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\o_o\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/...no.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab55579.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinn...v57/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab56649.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Edited by Aonce, 14 October 2009 - 10:54 AM.

    Advertisements

Register to Remove


#2 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 17 October 2009 - 03:08 PM

Hello and welcome to WhatTheTech.

I apologize for the delay in response.

If you still require help, please follow the instructions mentioned here: http://forums.whatth...rs_t106388.html

Post the logs once done and please provide an update of the condition of your system for me.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#3 Aonce

Aonce

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 18 October 2009 - 10:55 AM

Hi thanks for your reply, was beginning to lose hope :l my passwords n such are still being stolen as we speak ... anyway heres the logs u asked for

S (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 3:38:11.02 on Mon 10/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.264 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Dealio: {e67c74f4-a00a-4f2c-9fec-fd9dc004a67f} - c:\program files\dealio\kb127\Dealio.dll
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\monopoly\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\monopoly\images\armhelper.ocx
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pulocm9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-22 9344]
S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\cheat engine\dbk32.sys --> c:\program files\cheat engine\dbk32.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]

=============== Created Last 30 ================

2009-10-17 05:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-17 03:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-17 03:31 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-15 08:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-10-15 05:03 0 a------- c:\windows\system32\atiicdxx.dat
2009-10-15 05:02 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-07 03:52 520,192 -------- c:\windows\system32\ati2sgag.exe
2009-10-07 03:51 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-10-07 03:51 <DIR> --d----- c:\program files\ATI Technologies
2009-10-07 03:50 <DIR> --d----- C:\ATI
2009-10-06 19:02 <DIR> --d----- c:\program files\City of Heroes

==================== Find3M ====================

2009-09-10 15:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 15:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-26 03:37 6,120 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-08-26 03:37 64,567 a------- c:\windows\BricoPackUninst.cmd
2009-08-23 04:09 229,376 a------- c:\windows\PEV.exe
2009-07-26 17:44 48,448 a------- c:\windows\system32\sirenacm.dll
2008-11-19 23:36 24,192 a------- c:\documents and settings\administrator\usbsermptxp.sys
2008-11-19 23:36 22,768 a------- c:\documents and settings\administrator\usbsermpt.sys
2008-04-23 00:09 18,895,728 a------- c:\program files\Install_Messenger.exe
2008-04-22 22:55 53,786 a------- c:\program files\Install_WLMessenger.msi
2008-04-22 18:24 1,164,456 a------- c:\program files\adobeflashplayer90.exe

============= FINISH: 3:39:28.68 ===============
Attached File  Attach.txt   9.93KB   511 downloads

#4 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 18 October 2009 - 11:34 AM

Hello.

Hi thanks for your reply, was beginning to lose hope :l my passwords n such are still being stolen as we speak ... anyway heres the logs u asked for

What passwords are getting stolen? How do you know? What are these passwords related to?

First.. You have NO Anti-Virus Software installed..

Please install one NOW. This is crucial.

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:

Update It after the installation is complete please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.


  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Update and Scan with MalwareBytes Anti-Malware

  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#5 Aonce

Aonce

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 18 October 2009 - 12:39 PM

What passwords are getting stolen? How do you know? What are these passwords related to

My world of warcraft gaming account, Email and some other sites... I know because i get emails saying passwords are being changed without my permission. I have reset my passwords made new emails but somehow they keep compromising my accounts. They are all Unique and simply cannot be guessed.....
(Note: I have been using google chrome for the past week, if it makes any diff)


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 05:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF075000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A67000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECDCD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8b9c23e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8b9c234

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8b9c243

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8b9c24d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8b9c252

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8b9c220

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8b9c225

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8b9c25c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8b9c257

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8b9c248

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8b9c22f

==EOF==

---------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2981
Windows 5.1.2600 Service Pack 2

10/19/2009 5:38:15 AM
mbam-log-2009-10-19 (05-38-15).txt

Scan type: Quick Scan
Objects scanned: 99080
Time elapsed: 9 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Aonce, 18 October 2009 - 12:44 PM.


#6 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 18 October 2009 - 01:26 PM

Hello.

My world of warcraft gaming account, Email and some other sites... I know because i get emails saying passwords are being changed without my permission. I have reset my passwords made new emails but somehow they keep compromising my accounts. They are all Unique and simply cannot be guessed.....

When you change passwords you should change it from a known clean computer and not from this computer as it may be compromised and if so, then changing a password on the infection machine won't do anything.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#7 Aonce

Aonce

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 18 October 2009 - 03:00 PM

ComboFix 09-10-17.01 - Administrator 10/19/2009 7:48.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.343 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 17:46 . 2009-10-18 17:46 -------- d-----w- c:\windows\LastGood
2009-10-18 17:46 . 2009-07-28 05:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-18 17:46 . 2009-03-29 23:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-18 17:46 . 2009-02-13 01:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-18 17:46 . 2009-02-13 01:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-18 17:46 . 2009-10-18 17:46 -------- d-----w- c:\program files\Avira
2009-10-18 17:46 . 2009-10-18 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-18 16:34 . 2009-10-18 16:35 -------- d-----w- c:\program files\ERUNT
2009-10-16 18:56 . 2009-10-16 19:15 -------- d-----w- c:\program files\Trend Micro
2009-10-16 16:31 . 2009-10-16 16:31 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-16 16:31 . 2009-10-16 16:31 -------- d-----w- c:\program files\Spyware Doctor
2009-10-14 21:51 . 2009-10-14 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-10-14 18:03 . 2009-10-14 18:03 0 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-14 18:02 . 2009-10-14 18:02 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-06 17:04 . 2009-10-06 17:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NCSoft
2009-10-06 16:58 . 2009-10-06 16:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2009-10-06 16:58 . 2009-10-06 16:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-10-06 16:58 . 2009-10-06 16:58 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-10-06 16:58 . 2009-10-16 20:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-10-06 16:52 . 2006-05-03 00:57 520192 ------w- c:\windows\system32\ati2sgag.exe
2009-10-06 16:51 . 2009-10-06 16:53 -------- d-----w- c:\program files\ATI Technologies
2009-10-06 16:50 . 2009-10-06 16:50 -------- d-----w- C:\ATI
2009-10-06 08:02 . 2009-10-07 05:33 -------- d-----w- c:\program files\City of Heroes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 20:42 . 2008-05-11 11:05 -------- d-----w- c:\program files\WPE PRO - modified
2009-10-16 18:45 . 2009-03-13 06:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 21:55 . 2009-04-16 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-10-06 16:51 . 2008-11-19 12:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-06 08:43 . 2008-06-11 11:03 -------- d-----w- c:\program files\Google
2009-10-06 08:02 . 2008-11-26 05:21 -------- d-----w- c:\program files\Starcraft
2009-10-06 08:02 . 2008-08-11 12:24 -------- d-----w- c:\program files\Cheat Engine
2009-09-17 04:45 . 2009-02-28 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 04:54 . 2009-03-02 12:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:53 . 2009-03-02 12:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 02:11 . 2008-06-10 06:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-09-01 20:09 . 2009-08-28 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Name beep copy real
2009-09-01 02:47 . 2009-09-01 02:47 -------- d-----w- c:\program files\Windows Journal Viewer
2009-08-30 21:31 . 2008-04-20 08:27 12912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 21:20 . 2008-04-22 13:12 -------- d-----w- c:\program files\Windows Live Toolbar
2009-08-30 21:13 . 2009-08-30 21:13 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 21:13 . 2008-06-10 06:56 -------- d-----w- c:\program files\Windows Live
2009-08-30 21:00 . 2009-08-30 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-28 16:45 . 2009-08-28 16:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-28 16:42 . 2009-08-28 16:42 -------- d-----w- c:\program files\Microsoft
2009-08-25 22:43 . 2009-08-25 21:36 -------- d-----w- c:\program files\Screaming Bee
2009-08-25 21:37 . 2009-08-25 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Screaming Bee
2009-08-25 17:05 . 2009-08-25 16:59 -------- d-----w- c:\program files\Yahoo!
2009-08-25 16:37 . 2009-08-25 16:27 6120 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2009-08-25 16:37 . 2009-08-25 16:37 64567 ----a-w- c:\windows\BricoPackUninst.cmd
2009-08-25 14:23 . 2009-07-26 02:41 -------- d-----w- c:\program files\Risk
2009-07-29 19:32 . 2008-06-21 11:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-26 06:44 . 2009-07-26 06:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-21 17:50 . 2009-07-21 17:50 14776 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-04-22 13:09 . 2008-04-22 13:09 18895728 ----a-w- c:\program files\Install_Messenger.exe
2008-04-22 11:55 . 2008-04-22 11:55 53786 ----a-w- c:\program files\Install_WLMessenger.msi
2008-04-22 07:24 . 2008-04-22 07:24 1164456 ----a-w- c:\program files\adobeflashplayer90.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-01_20.01.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-06 15:19 . 2007-11-06 15:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-28 19:07 . 2008-07-28 19:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-28 19:07 . 2008-07-28 19:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-03-02 01:11 . 2009-10-14 18:02 38520 c:\windows\system32\Restore\rstrlog.dat
+ 2004-08-04 12:00 . 2009-10-03 16:32 81064 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-08-22 22:40 81064 c:\windows\system32\perfc009.dat
+ 2006-05-03 16:45 . 2006-05-03 16:45 77824 c:\windows\system32\Oemdspif.dll
+ 2009-10-18 17:46 . 2009-05-10 23:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-05-03 16:10 . 2006-05-03 16:10 40960 c:\windows\system32\drivers\ati2erec.dll
+ 2001-11-09 15:01 . 2001-11-09 15:01 24064 c:\windows\system32\ativcoxx.dll
+ 2006-05-03 16:15 . 2006-05-03 16:15 17408 c:\windows\system32\atitvo32.dll
+ 2006-05-03 16:43 . 2006-05-03 16:43 53248 c:\windows\system32\ATIDDC.DLL
+ 2006-05-03 16:45 . 2006-05-03 16:45 26112 c:\windows\system32\Ati2mdxx.exe
+ 2006-05-03 16:44 . 2006-05-03 16:44 61440 c:\windows\system32\ati2evxx.dll
+ 2006-05-03 16:45 . 2006-05-03 16:45 41984 c:\windows\system32\ati2edxx.dll
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut5_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut3_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut22_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut21_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut2_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\NewShortcut1_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-10-06 16:56 . 2009-10-06 16:56 9158 c:\windows\Installer\{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}\ARPPRODUCTICON.exe
+ 2008-07-28 21:05 . 2008-07-28 21:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-28 16:54 . 2008-07-28 16:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-06 16:51 . 2004-08-04 00:56 516768 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ativvaxx.dll
+ 2009-10-06 16:51 . 2004-08-04 00:56 870784 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati3d1ag.dll
+ 2009-10-06 16:51 . 2004-08-03 22:29 701440 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2mtag.sys
+ 2009-10-06 16:51 . 2004-08-04 00:56 201728 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2dvag.dll
+ 2009-10-06 16:51 . 2004-08-04 00:56 229376 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2cqag.dll
+ 2009-10-06 16:52 . 2004-08-04 00:56 516768 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ativvaxx.dll
+ 2009-10-06 16:52 . 2004-08-04 00:56 870784 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati3d1ag.dll
+ 2009-10-06 16:52 . 2004-08-04 00:56 201728 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2dvag.dll
+ 2009-10-06 16:52 . 2004-08-04 00:56 229376 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2cqag.dll
- 2004-08-04 12:00 . 2009-08-22 22:40 482064 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-10-03 16:32 482064 c:\windows\system32\perfh009.dat
+ 2006-05-03 16:45 . 2006-05-03 16:45 114688 c:\windows\system32\atipdlxx.dll
+ 2006-05-03 16:15 . 2006-05-03 16:15 151552 c:\windows\system32\atikvmag.dll
+ 2006-05-03 16:54 . 2006-05-03 16:54 307200 c:\windows\system32\atiiiexx.dll
+ 2006-05-03 16:12 . 2006-05-03 16:12 286720 c:\windows\system32\ATIDEMGR.dll
+ 2006-05-03 16:43 . 2006-05-03 16:43 413696 c:\windows\system32\ati2evxx.exe
+ 2008-04-20 17:36 . 2006-05-03 16:51 258048 c:\windows\system32\ati2dvag.dll
+ 2008-04-20 17:36 . 2006-05-03 16:09 282624 c:\windows\system32\ati2cqag.dll
+ 2009-10-16 16:32 . 2009-10-16 16:32 228352 c:\windows\Installer\5c51ed.msi
+ 2009-10-18 16:35 . 2009-10-18 16:35 200704 c:\windows\ERDNT\10-19-2009\Users\00000002\UsrClass.dat
+ 2009-10-18 16:35 . 2005-10-20 01:02 163328 c:\windows\ERDNT\10-19-2009\ERDNT.EXE
+ 2008-07-28 21:05 . 2008-07-28 21:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-10-06 16:51 . 2004-08-04 00:56 1888992 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati3duag.dll
+ 2009-10-06 16:52 . 2004-08-04 00:56 1888992 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati3duag.dll
+ 2009-10-06 16:52 . 2006-05-03 16:50 1540608 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2mtag.sys
+ 2008-04-20 17:36 . 2006-05-03 16:50 1540608 c:\windows\system32\drivers\ati2mtag.sys
+ 2008-04-20 17:36 . 2006-05-03 16:50 1540608 c:\windows\system32\dllcache\ati2mtag.sys
+ 2008-04-20 17:36 . 2006-05-03 16:29 1408000 c:\windows\system32\ativvaxx.dll
+ 2006-05-03 16:18 . 2006-05-03 16:18 5033984 c:\windows\system32\atioglxx.dll
+ 2006-05-03 16:21 . 2006-05-03 16:21 6684672 c:\windows\system32\atioglx1.dll
+ 2008-04-20 17:36 . 2006-05-03 16:35 2693280 c:\windows\system32\ati3duag.dll
+ 2009-10-18 16:35 . 2009-10-18 16:35 8335360 c:\windows\ERDNT\10-19-2009\Users\00000001\ntuser.dat
+ 2009-10-06 16:56 . 2009-10-06 16:56 13135872 c:\windows\Installer\2bbb9ca.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate1c99b7d993d971c"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"58614:TCP"= 58614:TCP:Pando Media Booster
"58614:UDP"= 58614:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2009 4:46 AM 108289]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [4/22/2007 1:15 AM 9344]
S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 2:19 PM 23064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-16 15:21]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-963894560-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-11 09:09]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-963894560-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-11 09:09]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pulocm9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 07:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-963894560-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(776)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-18 7:58
ComboFix-quarantined-files.txt 2009-10-18 20:57
ComboFix2.txt 2009-03-02 17:48

Pre-Run: 4,054,192,128 bytes free
Post-Run: 4,101,468,160 bytes free

247

#8 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 19 October 2009 - 02:16 PM

Run a scan with Malwarebytes followed by a new scan with DDS. Also let me know how your system is running.

Update and Scan with MalwareBytes Anti-Malware

  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Thanks.

~EB
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#9 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 25 October 2009 - 09:10 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users