WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My Hijackthis report log [Solved]

Started by Bzerong , May 26 2012 12:53 PM

This topic is locked

9 replies to this topic

#1 Bzerong

New Member

New Member
4 posts

Posted 26 May 2012 - 12:53 PM

Sorry if this is in the wrong place but I was hoping someone could help me decipher this hijackthis log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:34:11 PM, on 5/26/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Users\SDJ\Downloads\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.c...iv_eg_self_main
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.c...iv_eg_self_main
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\Program Files\Common Files\EzTools\hsppp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: SCM_Service - Unknown owner - C:\Windows\System32\WinService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

Thanks and please let me know if you need any more information and I will try to respond ASAP.

Advertisements

Register to Remove

#2 Doug

Retired Administrator -Tech Team

Tech Team
10,057 posts

Posted 26 May 2012 - 01:05 PM

I'll move this over to the Malware Removal Forum where you can get help from our Speicialists.

The help you receive here is free.
If you wish, you may Donate to help keep us online.

#3 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2012 - 02:06 PM

It would help if you tell us what issues you're having with the computer

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#4 Bzerong

New Member

New Member
4 posts

Posted 26 May 2012 - 02:24 PM

My diablo 3 account was hacked last night while I was logged on and playing in a private game. Lost a few items, all my gold, the usual. I have no issues with anything otherwise. I've been hearing a lot of rumors that this is a Blizzard side issue, a flaw in their security, but they are maintaining that accounts are being hacked via conventional methods (keyloggers etc.) I've scanned with spybot (came back 100% clean) and my trend micro antivirus has been up to date and performing regular scans for years, again coming back 100% clean every time. I'm trying to rule out that this was cause by an issue on my side.

#5 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2012 - 02:27 PM

Make sure you changed you're passwords.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.

Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#6 Bzerong

New Member

New Member
4 posts

Posted 26 May 2012 - 03:22 PM

Combofix report log: ComboFix 12-05-26.02 - SDJ 05/26/2012 16:58:54.1.4 - x86 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3582.2520 [GMT -4:00] Running from: c:\users\SDJ\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\lol c:\program files\lol\LeagueOfLegends\0x0409.ini c:\program files\lol\LeagueOfLegends\data1.cab c:\program files\lol\LeagueOfLegends\data1.hdr c:\program files\lol\LeagueOfLegends\data2.cab c:\program files\lol\LeagueOfLegends\ISSetup.dll c:\program files\lol\LeagueOfLegends\layout.bin c:\program files\lol\LeagueOfLegends\setup.exe c:\program files\lol\LeagueOfLegends\setup.ini c:\program files\lol\LeagueOfLegends\setup.inx c:\program files\lol\LeagueOfLegends\setup.isn c:\users\SDJ\Documents\47565BF5.tmp c:\users\SDJ\Documents\EAC507E6.tmp c:\windows\favicon.ico c:\windows\system32\winservice.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_SCM_Service . . ((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 ))))))))))))))))))))))))))))))) . . 2012-05-26 20:57 . 2012-05-26 20:57 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{65026726-3F82-4156-9F5F-ECF6DB73ABAF}\offreg.dll 2012-05-26 18:47 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-05-26 18:47 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll 2012-05-26 18:47 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll 2012-05-26 18:47 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll 2012-05-26 18:46 . 2012-05-26 18:46 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2012-05-26 18:45 . 2012-05-15 05:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{65026726-3F82-4156-9F5F-ECF6DB73ABAF}\mpengine.dll 2012-05-26 18:44 . 2012-05-26 18:44 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-05-26 18:19 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-26 18:19 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-26 18:19 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-05-26 18:19 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll 2012-05-26 18:18 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-05-26 18:18 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-05-26 18:18 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-05-26 18:18 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys 2012-05-26 18:18 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys 2012-05-26 18:17 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-05-26 15:17 . 2012-05-26 18:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2012-05-26 15:17 . 2012-05-26 15:20 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-05-16 19:38 . 2012-05-16 20:02 -------- d-----w- c:\program files\Diablo III 2012-05-16 19:38 . 2012-05-16 19:58 -------- d-----w- c:\programdata\Blizzard Entertainment 2012-05-16 19:38 . 2012-05-16 19:58 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2012-05-16 19:35 . 2012-05-16 19:35 -------- d-----w- c:\programdata\Battle.net 2012-05-15 20:46 . 2012-05-15 20:46 -------- d-----w- c:\program files\iPod 2012-05-15 19:38 . 2012-05-15 19:38 -------- d-----w- c:\users\SDJ\AppData\Local\EA Games 2012-05-15 19:28 . 2012-05-15 19:28 -------- d-----w- c:\program files\EA Games 2012-05-14 04:39 . 2012-05-14 04:39 -------- d-----w- C:\LocalDumps 2012-05-02 17:49 . 2012-05-02 18:01 -------- d-----w- c:\program files\Counter Strike Source . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-15 22:01 . 2010-04-21 01:53 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2012-05-15 22:01 . 2010-04-21 02:03 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr 2012-05-15 22:01 . 2010-04-21 01:53 280736 ----a-w- c:\windows\system32\PnkBstrB.exe 2012-05-15 22:00 . 2010-04-21 01:53 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0 2012-04-22 00:31 . 2009-08-18 15:24 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-04-22 00:27 . 2012-04-22 00:27 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe 2012-04-22 00:27 . 2012-04-22 00:27 161792 ----a-w- c:\windows\system32\msls31.dll 2012-04-22 00:27 . 2012-04-22 00:27 86528 ----a-w- c:\windows\system32\iesysprep.dll 2012-04-22 00:27 . 2012-04-22 00:27 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe 2012-04-22 00:27 . 2012-04-22 00:27 63488 ----a-w- c:\windows\system32\tdc.ocx 2012-04-22 00:27 . 2012-04-22 00:27 48640 ----a-w- c:\windows\system32\mshtmler.dll 2012-04-22 00:27 . 2012-04-22 00:27 367104 ----a-w- c:\windows\system32\html.iec 2012-04-22 00:27 . 2012-04-22 00:27 110592 ----a-w- c:\windows\system32\IEAdvpack.dll 2012-04-22 00:27 . 2012-04-22 00:27 74752 ----a-w- c:\windows\system32\iesetup.dll 2012-04-22 00:27 . 2012-04-22 00:27 23552 ----a-w- c:\windows\system32\licmgr10.dll 2012-04-22 00:27 . 2012-04-22 00:27 420864 ----a-w- c:\windows\system32\vbscript.dll 2012-04-22 00:27 . 2012-04-22 00:27 152064 ----a-w- c:\windows\system32\wextract.exe 2012-04-22 00:27 . 2012-04-22 00:27 150528 ----a-w- c:\windows\system32\iexpress.exe 2012-04-22 00:27 . 2012-04-22 00:27 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-04-22 00:27 . 2012-04-22 00:27 11776 ----a-w- c:\windows\system32\mshta.exe 2012-04-22 00:27 . 2012-04-22 00:27 101888 ----a-w- c:\windows\system32\admparse.dll 2012-04-22 00:27 . 2012-04-22 00:27 35840 ----a-w- c:\windows\system32\imgutil.dll 2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\system32\QuickTime.qts 2012-03-24 19:09 . 2011-05-23 18:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-09 16:58 . 2011-01-20 18:16 472808 ----a-w- c:\windows\system32\deployJava1.dll 2012-03-08 22:50 . 2012-03-08 22:50 49016 ----a-w- c:\windows\system32\sirenacm.dll 2012-03-01 16:39 . 2012-03-01 16:39 56 ----a-w- c:\windows\system32\SupportTool.exe.bat 2012-03-01 16:34 . 2012-03-01 16:40 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2012-03-01 16:34 . 2012-03-01 16:39 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2012-03-01 16:34 . 2012-03-01 16:39 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2012-03-01 16:34 . 2012-03-01 16:39 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2012-02-29 23:59 . 2012-04-19 22:20 812352 ----a-w- c:\windows\system32\nvumdshim.dll 2012-02-29 23:59 . 2012-04-19 22:20 301376 ----a-w- c:\windows\system32\nvdecodemft.dll 2012-02-29 23:59 . 2012-04-19 22:20 215360 ----a-w- c:\windows\system32\nvinit.dll 2012-02-29 23:59 . 2011-08-13 15:54 7713088 ----a-w- c:\windows\system32\nvwgf2um.dll 2012-02-29 23:59 . 2011-08-13 15:54 61248 ----a-w- c:\windows\system32\OpenCL.dll 2012-02-29 23:59 . 2011-08-13 15:54 19444544 ----a-w- c:\windows\system32\nvoglv32.dll 2012-02-29 23:59 . 2011-08-13 15:54 10819392 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2012-02-29 23:59 . 2011-08-13 15:54 881984 ----a-w- c:\windows\system32\nvgenco32.dll 2012-02-29 23:59 . 2011-08-13 15:54 1000256 ----a-w- c:\windows\system32\nvdispco32.dll 2012-02-29 23:59 . 2011-08-13 15:54 15009600 ----a-w- c:\windows\system32\nvd3dum.dll 2012-02-29 23:59 . 2011-08-13 15:54 5892928 ----a-w- c:\windows\system32\nvcuda.dll 2012-02-29 23:59 . 2011-08-13 15:54 2517312 ----a-w- c:\windows\system32\nvcuvid.dll 2012-02-29 23:59 . 2011-08-13 15:54 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll 2012-02-29 23:59 . 2011-08-13 15:54 17543488 ----a-w- c:\windows\system32\nvcompiler.dll 2012-02-29 23:59 . 2011-08-13 15:54 2301248 ----a-w- c:\windows\system32\nvapi.dll 2012-02-29 20:56 . 2012-04-19 22:20 3881792 ----a-w- c:\windows\system32\nvcpl.dll 2012-02-29 20:55 . 2012-04-19 22:20 2719040 ----a-w- c:\windows\system32\nvsvc.dll 2012-02-29 20:53 . 2012-04-19 22:20 108352 ----a-w- c:\windows\system32\nvmctray.dll 2012-02-29 20:53 . 2012-04-19 22:20 645440 ----a-w- c:\windows\system32\nvvsvc.exe 2012-02-29 20:53 . 2012-04-19 22:20 62272 ----a-w- c:\windows\system32\nvshext.dll 2012-02-29 17:26 . 2012-02-29 17:26 416064 ----a-w- c:\windows\system32\nvStreaming.exe 2009-05-15 01:02 . 2009-05-15 01:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll 2009-05-15 01:02 . 2009-05-15 01:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll 2012-04-25 06:39 . 2011-05-12 12:40 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 1304792] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2011-7-20 296088] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer9"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2009-11-15 09:42 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2012-02-21 02:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync] 2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] 2010-04-15 08:17 427328 ----a-w- c:\program files\DAEMON Tools Pro\DTAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HLBackupScheduler] 2011-05-05 14:11 4950664 ----a-w- c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2012-03-07 00:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess] 2011-07-22 04:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000] R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2010-04-06 377856] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1343400] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040] S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-22 697328] S1 ISODisk;ISODisk; [x] S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2012-03-01 68368] S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x] S2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-07-07 139880] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776] . . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main mWindow Title = Windows Internet Explorer provided by Comcast uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\SDJ\AppData\Roaming\Mozilla\Firefox\Profiles\gpiobgac.default\ FF - prefs.js: browser.startup.homepage - google.com . - - - - ORPHANS REMOVED - - - - . AddRemove-PunkBusterSvc - c:\program files\Origin Games\Battlefield 3 Beta\pbsvc.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1249458215-3412941234-1877906358-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:69,d2,b6,c1,44,6b,3e,6d,cb,e2,e5,31,88,59,d2,3c,44,c4,2a,c9,c9,4e,95, 7e,8d,95,a1,b9,7e,63,78,e9,8a,9a,fb,72,41,5f,b9,39,6a,f2,2f,60,64,36,07,cc,\ "??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49 . [HKEY_USERS\S-1-5-21-1249458215-3412941234-1877906358-1000\Software\SecuROM\License information*] "datasecu"=hex:e8,11,f9,09,59,e4,42,66,5c,99,a1,11,13,1e,89,46,31,69,96,ea,c4, a2,93,c0,3b,0b,80,a9,9d,ce,a8,30,ed,35,76,a8,51,d6,a5,85,af,3b,2f,af,43,aa,\ "rkeysecu"=hex:b5,92,df,fc,89,63,c5,79,bf,fa,93,96,17,2a,a1,d6 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\program files\NVIDIA Corporation\Display\nvxdsync.exe c:\windows\system32\nvvsvc.exe c:\program files\Trend Micro\AMSP\coreServiceShell.exe c:\windows\system32\conhost.exe c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe c:\windows\system32\conhost.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\PnkBstrA.exe c:\program files\SafeConnect\scManager.sys c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe . ************************************************************************** . Completion time: 2012-05-26 17:16:00 - machine was rebooted ComboFix-quarantined-files.txt 2012-05-26 21:15 . Pre-Run: 220,612,898,816 bytes free Post-Run: 220,430,684,160 bytes free . - - End Of File - - 1F64058F562F32EA0CFEED4CA4E54661 Other than 1 or 2 games freezing from time to time my computer performs very well at all times. All this searching and scanning was prompted purely by the account being compromised in Diablo 3.

#7 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2012 - 03:27 PM

That all looks good to me.
Guess you'll need to see what happens.

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

Click START run
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

Click START Search
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual final post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

•Free browser plug-in for Internet Explorer and Firefox
•Real-time safety ratings
•Ideal for Facebook, Twitter and LinkedIn
JAVA Click this link and click on the Free JAVA Download
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#8 Bzerong

New Member

New Member
4 posts

Posted 26 May 2012 - 03:41 PM

Thank you for the quick and clear responses. I very much appreciate you taking the time to look at all those logs and get back to me.

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2012 - 03:42 PM

You're more than welcome.
Glad we were able to help

Peace be with you Posted Image

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 26 May 2012 - 04:51 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme