 WoW account hacked; probably keylogger; trying to ensure system is safe., Lengthy explanation followed by DDS log. |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Nov 4 2009, 12:54 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 6 Joined: 3-November 09 Member No.: 398,317  |
Recently (Saturday) my World of Warcraft account was accessed by someone else and my characters devasted. Since I absolutely without exception do not share my account information with anyone else, I am left with the conclusion that this was most likely accomplished by a keylogger on my system. However, I am pretty zealous about computer security (within the bounds of my knowledge) and I am not sure how my system was compromised (I run Avast AV in full active mode, update and run Malwarebytes regularly; browse Internet using Firefox w/ NoScript and Adblock). Matters are further complicated by the fact that I have been unable to detect any malicious programs, etc. on my system since the hack. The only evidence I have is that my WoW account is in shambles. I was able to recover access to my account by using my laptop, but the damage is already done. However, I would very much like to ensure that my system is truly clean and would very much appreciate any advice/suggestions as to what steps to take and/or tools to use in the future to protect myself. Steps I have followed so far upon discovering my account had been compromised: 1. Immediately checked Task Manager for unfamiliar processes. I have been in the habit of checking my running processes for years, so that when something new appears it usually jumps out at me. I noticed a process called 'wow.exe' running and immediately killed it (the game was not running at the time). 2. Deleted the last two things I downloaded for WoW (an addon called 'Jamba' and a program called 'Octopus' (similar to Synergy)). Even though I had scanned these after downloading and found them both free of anything, I deleted them out of precaution (read: panic). 2. Opened Malwarebytes and ran Full Scan. 0 infections. 3. Ran Avast full scan of all HDD's in 'thorough mode' with 'scan archives' ticked. 0 results. 4. Following a friend's suggestion I downloaded AVG, disabled Avast, then ran a full scan with AVG. 0 results. 5. Uninstalled AVG, and ran a scan using ESET Online Scanner. 0 results. 6. Rebooted in 'Safe Mode' and repeated steps 2 and 3. Also, installed Spybot S&D and ran full scan. All three programs returned 0 results. At this point I was completely frazzled. Finding nothing was 10 times worse than if I had seen a bunch of trojans popping up. I didn't know if there was something especially clever still hiding on my system or if it stole my information and self-deleted, or what. In desperation, I resorted to 'old reliable': re-install Windows fresh. I booted from the CD (Windows 7 RC, btw) and deleted the partition on my C: drive, then proceeded through the process of installing Windows 7. After reading through this site, in hindsight I suppose it would have been better to submit my logs to this forum before wiping and reloading Windows, but I was at a loss. Since re-installing Windows 7, I have done the following: 1. Installed ESET NOD32 Antivirus; updated. 2. Installed Comodo Firewall. This was suggested to me by a friend and seems like a great tool for security. However, I am finding the learning curve rather steep and hope that I am using it properly. 3. Installed Malwarebytes; updated. 4. Quick and Full scans with Malwarebytes. 1 Result was found: Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. I Googled this and found a post on the Malwarebytes forum saying this was a false positive so I clicked 'Ignore'. 5. Full and Smart scans with NOD32. 0 results. However, I am still uneasy as to the status of my computer's security. I have never been infected, hacked (until now) so I always thought my security precautions were adequate. Any help, advice, suggestions is greatly appreciated. Many thanks in advance for your help. LOG: DDS (Ver_09-10-26.01) - NTFSX64 Run by iamnotagun at 0:33:58.98 on Wed 11/04/2009 Internet Explorer: 8.0.7100.0 Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.4094.1985 [GMT -5:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\nvvsvc.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\sppsvc.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Windows\SysWOW64\Ctxfihlp.exe C:\Program Files (x86)\MagicDisc\MagicDisc.exe C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe C:\Windows\SysWOW64\CTXFISPI.EXE C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k SDRSVC C:\Windows\system32\svchost.exe -k WindowsMobile C:\Windows\WindowsMobile\wmdc.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\mobsync.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames.exe C:\Windows\system32\notepad.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Users\iamnotagun\Desktop\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== mLocal Page = c:\windows\syswow64\blank.htm mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll uRun: [Skype] "c:\program files (x86)\skype\phone\Skype.exe" /nosplash /minimized mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [AdobeCS4ServiceManager] "c:\program files (x86)\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [<NO NAME>] mRun: [Acrobat Assistant 8.0] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrotray.exe" StartupFolder: c:\users\iamnot~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\nostro~1.lnk - c:\windows\installer\{548c7b77-8b04-427e-acd0-d0e6e6e59bcf}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0) mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Append to existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab TCP: {7FAB77C7-D461-4597-83DA-E72D3EC7C1D1} = 156.154.70.22,156.154.71.22 TCP: {F8D3C2F1-AE8D-4671-A585-508961356589} = 156.154.70.22,156.154.71.22 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL AppInit_DLLs: c:\windows\syswow64\guard32.dll mRun-x64: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun-x64: [RivaTunerStartupDaemon] "c:\program files (x86)\rivatuner\RivaTunerWrapper.exe" /S mRun-x64: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe AppInit_DLLs-X64: c:\windows\system32\guard64.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\iamnot~1\appdata\roaming\mozilla\firefox\profiles\bljkk3zh.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\program files (x86)\vlc\npvlc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-1 117064] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-1 33128] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-9-29 735960] R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-29 123200] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2009-11-3 35328] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744] R3 RivaTuner64;RivaTuner64;c:\program files (x86)\rivatuner\RivaTuner64.sys [2009-8-22 19952] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-8-20 239616] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-11-1 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744] S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2009-11-2 1038088] S3 getPlusHelper;getPlusHelper;c:\windows\system32\svchost.exe -k getPlusHelper [2009-4-21 27648] =============== Created Last 30 ================ 2009-11-04 03:09:07 0 d-----w- c:\users\iamnot~1\appdata\roaming\Subversion 2009-11-03 21:12:21 0 d-----w- c:\program files\TortoiseSVN 2009-11-03 21:12:21 0 d-----w- c:\program files\common files\TortoiseOverlays 2009-11-03 20:44:07 56 ---ha-w- c:\programdata\ezsidmv.dat 2009-11-03 20:42:58 0 d-----r- c:\program files (x86)\Skype 2009-11-03 20:42:44 0 d-----w- c:\programdata\Skype 2009-11-03 12:29:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf 2009-11-03 08:54:28 0 d-----w- c:\windows\WindowsMobile 2009-11-03 08:35:40 0 d-----w- c:\users\iamnot~1\appdata\roaming\Belkin 2009-11-03 08:34:57 35328 ----a-w- c:\windows\system32\drivers\bcgame.sys 2009-11-03 08:34:56 0 d-----w- c:\program files (x86)\Nostromo 2009-11-03 05:16:20 0 d-----w- c:\programdata\Blizzard Entertainment 2009-11-03 04:19:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf 2009-11-03 03:46:07 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys 2009-11-03 03:46:05 0 d-----w- c:\program files (x86)\MagicDisc 2009-11-03 03:19:47 0 d-----w- c:\programdata\FLEXnet 2009-11-03 03:04:49 0 d-----w- c:\programdata\NOS 2009-11-03 02:30:08 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment 2009-11-03 02:29:16 0 d-----w- c:\programdata\Blizzard 2009-11-03 02:02:49 0 d-----w- c:\users\iamnot~1\appdata\roaming\EditPlus 3 2009-11-03 02:02:49 0 d-----w- c:\program files (x86)\EditPlus 3 2009-11-03 01:02:05 0 d-----w- c:\program files\Adobe 2009-11-03 01:00:11 0 d-----w- c:\programdata\ALM 2009-11-03 00:55:16 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2009-11-03 00:29:43 0 d-----w- c:\windows\syswow64\spool 2009-11-03 00:28:59 0 d-----w- c:\programdata\Adobe 2009-11-03 00:27:40 0 d-----w- c:\program files\common files\Macrovision Shared 2009-11-03 00:27:39 0 d-----w- c:\program files\common files\Adobe 2009-11-03 00:25:38 0 d-----w- c:\program files (x86)\common files\Macrovision Shared 2009-11-02 23:26:53 0 d-----w- c:\program files\Zune 2009-11-02 23:26:29 0 d-----w- c:\windows\PCHEALTH 2009-11-02 21:49:41 0 d-----w- c:\program files (x86)\SyncBack 2009-11-02 21:45:18 0 d-----w- c:\program files (x86)\CCleaner 2009-11-02 21:11:53 5954560 ----a-w- c:\windows\syswow64\mshtml.dll 2009-11-02 20:49:03 0 d-----w- c:\program files (x86)\RivaTuner 2009-11-02 20:47:08 0 d-----w- c:\program files\7-Zip 2009-11-02 10:08:30 1080 ----a-w- c:\windows\system32\settingsbkup.sfm 2009-11-02 10:08:30 1080 ----a-w- c:\windows\system32\settings.sfm 2009-11-02 10:07:48 407040 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-11-02 10:07:44 231936 ----a-w- c:\windows\system32\ListSvc.dll 2009-11-02 10:07:35 358400 ----a-w- c:\windows\system32\wmpdxm.dll 2009-11-02 10:07:35 299520 ----a-w- c:\windows\syswow64\wmpdxm.dll 2009-11-02 10:07:19 10974208 ----a-w- c:\windows\syswow64\ieframe.dll 2009-11-02 10:04:11 716800 ----a-w- c:\windows\syswow64\jscript.dll 2009-11-02 10:04:04 2053120 ----a-w- c:\windows\syswow64\iertutil.dll 2009-11-02 09:59:23 0 d-----w- c:\programdata\ESET 2009-11-02 09:59:23 0 d-----w- c:\program files\ESET 2009-11-02 08:17:55 0 d-----w- c:\windows\Panther 2009-11-02 06:20:53 0 d-----w- c:\windows\syswow64\Macromed 2009-11-02 06:14:12 0 d-----w- c:\users\iamnot~1\appdata\roaming\Malwarebytes 2009-11-02 06:13:41 22104 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-02 06:13:41 0 d-----w- c:\programdata\Malwarebytes 2009-11-02 06:13:41 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2009-11-02 04:00:53 0 d-----w- c:\program files (x86)\VLC 2009-11-02 03:44:20 788 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx 2009-11-02 03:44:20 61448 ----a-w- c:\windows\system32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx 2009-11-02 03:44:20 61448 ----a-w- c:\windows\system32\BMXState-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx 2009-11-02 03:43:50 7062 ----a-w- c:\windows\syswow64\audiopid.vxd 2009-11-02 03:43:21 0 d-----w- c:\program files (x86)\common files\Creative 2009-11-02 03:43:20 0 d--h--w- c:\program files (x86)\Creative Installation Information 2009-11-02 03:43:08 0 d-----w- c:\program files (x86)\common files\Creative Labs Shared 2009-11-02 03:43:01 0 d-----w- c:\program files\Creative 2009-11-02 03:42:57 0 d-----w- c:\program files (x86)\Creative 2009-11-02 03:42:03 0 d-----w- c:\programdata\Creative 2009-11-02 03:42:00 107008 ----a-w- c:\windows\system32\cttele64.dll 2009-11-02 03:42:00 102400 ----a-w- c:\windows\syswow64\cttele32.dll 2009-11-02 03:40:21 466456 ----a-w- c:\windows\system32\wrap_oal.dll 2009-11-02 03:40:21 444952 ----a-w- c:\windows\syswow64\wrap_oal.dll 2009-11-02 03:40:21 121880 ----a-w- c:\windows\system32\OpenAL32.dll 2009-11-02 03:40:21 0 d-----w- c:\program files (x86)\OpenAL 2009-11-02 03:40:19 89088 ----a-w- c:\windows\system32\CmdRtr64.DLL 2009-11-02 03:40:19 73728 ----a-w- c:\windows\syswow64\CmdRtr.DLL 2009-11-02 03:40:19 190976 ----a-w- c:\windows\system32\APOMgr64.DLL 2009-11-02 03:40:19 148480 ----a-w- c:\windows\syswow64\APOMngr.DLL 2009-11-02 03:40:19 109080 ----a-w- c:\windows\syswow64\OpenAL32.dll 2009-11-02 03:40:16 159 ---ha-r- c:\windows\ctfile.rfc 2009-11-02 03:38:47 12288 ----a-w- c:\windows\system32\INRES.DLL 2009-11-02 03:38:47 11776 ----a-w- c:\windows\syswow64\INRES.DLL 2009-11-02 03:38:47 0 d-----w- c:\windows\syswow64\Data 2009-11-02 03:38:47 0 d-----w- c:\windows\system32\Data 2009-11-02 03:38:11 22691984 ----a-w- c:\windows\syswow64\AppSetup.exe 2009-11-02 03:36:32 0 d-----w- c:\program files (x86)\NVIDIA Corporation 2009-11-02 03:36:06 0 d-----w- c:\programdata\NVIDIA 2009-11-02 03:35:45 0 d-----w- c:\windows\syswow64\AGEIA 2009-11-02 03:35:29 0 d-sh--w- c:\windows\Installer 2009-11-02 03:35:27 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard 2009-11-02 03:35:05 541800 ----a-w- c:\windows\system32\nvuninst.exe 2009-11-02 03:33:30 0 d-----w- C:\NVIDIA 2009-11-02 03:03:12 33128 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2009-11-02 03:03:12 241688 ----a-w- c:\windows\system32\guard64.dll 2009-11-02 03:03:12 179792 ----a-w- c:\windows\syswow64\guard32.dll 2009-11-02 03:03:12 117064 ----a-w- c:\windows\system32\drivers\cmdguard.sys 2009-11-02 03:03:12 0 d-----w- c:\programdata\Comodo 2009-11-02 03:02:52 0 d-----w- c:\program files\COMODO 2009-11-02 02:42:31 238960 ------w- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2009-09-29 18:06:16 123200 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys 2009-09-29 18:03:00 136584 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-09-29 17:56:36 144824 ----a-w- c:\windows\system32\drivers\eamon.sys 2009-09-27 23:24:22 3778664 ----a-w- c:\windows\system32\nvcplui.exe 2009-09-27 23:23:00 4546152 ----a-w- c:\windows\system32\nvvitvs.dll 2009-09-27 23:23:00 3746920 ----a-w- c:\windows\system32\nvwss.dll 2009-09-27 23:23:00 289896 ----a-w- c:\windows\system32\nvmccss.dll 2009-09-27 23:23:00 1647720 ----a-w- c:\windows\system32\nvmobls.dll 2009-09-27 23:23:00 1646696 ----a-w- c:\windows\system32\nvsvs.dll 2009-09-27 23:22:00 991848 ----a-w- c:\windows\system32\nvsvc64.dll 2009-09-27 23:22:00 82536 ----a-w- c:\windows\system32\nvmctray.dll 2009-09-27 23:22:00 5426792 ----a-w- c:\windows\system32\nvdisps.dll 2009-09-27 23:22:00 5208168 ----a-w- c:\windows\system32\nvgames.dll 2009-09-27 23:22:00 383592 ----a-w- c:\windows\system32\nvvsvc.exe 2009-09-27 23:22:00 244840 ----a-w- c:\windows\system32\nvshext.dll 2009-09-27 23:22:00 16666728 ----a-w- c:\windows\system32\nvcpl.dll 2009-09-04 18:18:40 470256 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe 2009-08-14 18:36:18 70936 ----a-w- c:\windows\syswow64\PhysXLoader.dll 2009-04-22 09:52:01 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2009-04-22 09:52:01 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2009-04-22 09:52:01 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2009-04-22 09:52:01 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2009-04-22 09:08:55 174 --sha-w- c:\program files\desktop.ini 2009-04-22 09:08:55 174 --sha-w- c:\program files (x86)\desktop.ini 2009-04-22 05:05:25 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2009-04-22 05:05:25 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2009-04-22 05:05:24 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2009-04-22 05:05:24 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-03-27 04:24:11 9633792 --sha-r- c:\windows\fonts\StaticCache.dat 2009-04-22 09:27:16 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat 2009-04-22 09:09:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-04-22 09:09:34 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2009-04-22 09:09:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat 2009-04-22 05:38:46 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_be69c16d5d28757a\WinMail.exe 2009-04-22 05:19:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe ============= FINISH: 0:35:24.70 =============== |
 |
 
|
|
Nov 4 2009, 08:51 PM
Post
#2
|
|
|
New Member Group: Members Posts: 6 Joined: 3-November 09 Member No.: 398,317 |
Update:
I ran HJT a few minutes ago and noticed something strange. At the top of the log (under "Running Processes") it shows the line "C:\Program Files (x86)\Mozilla Firefox\firefox.exe". The odd thing is Firefox was definitely NOT running at the time. I exited HJT and checked by Task Manager and Process Explorer to verify, then reran HJT just to double check. The entry is still there. Is this a bad indication? PS) I didn't post the HJT log as I didn't want to break forum etiquette. Can do so if requested. Thanks. |
|
|
|
|
Nov 6 2009, 09:32 PM
Post
#3
|
|
 Computer Masochist Group: Staff Emeritus Posts: 27,809 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618 |
If all you can run is the DDS scan then go ahead and post it with an explanation that it is all that you could get to work
You have a DDS [which shouldn't be posted here either] there is no need for a HJT log Try this scan and include it in your HJT post Please download Win32kDiag.exe by AD and save it to your desktop. alternate download 1 alternate download 2
-------------------- Mark
 why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits Become a BleepingComputer fan: Facebook and Twitter |
|
|
|
|
Nov 6 2009, 10:31 PM
Post
#4
|
|
|
New Member Group: Members Posts: 6 Joined: 3-November 09 Member No.: 398,317 |
Thank you for the reply.
I re-posted in the HJT forum and added the Win32kDiag log. |
|
|
|
|
Nov 6 2009, 10:34 PM
Post
#5
|
|
 OBleepin Investigator Group: Moderator Posts: 20,277 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
Hello,
Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic269714.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean. Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable. To avoid confusion, I am closing this topic. Good luck with your log. Orange Blossom 
-------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.6.2.46, WinPatrol Plus, Sunbelt Personal Firewall - Full, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 20th March 2010 - 12:28 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.