Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible keylogger


  • This topic is locked This topic is locked
6 replies to this topic

#1 emccormack

emccormack

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 31 December 2009 - 11:54 AM

I recently had my wow account hacked, I've run as Norton security 2010 regularly since I built the computer. Since the incident I've scanned with Malware bytes as well, but with no luck. If someone has the time I would appreciate if they could just check over the logs and see if anything is amiss. I realize that there may be nothing and am in fact hoping that's the case. I would just feel better knowing that the hack was a brute force attack and not some type of keylogger, I am fairly knowledgeable about computers and take as much precaution as I can. Anyway any help would be greatly appreciated.


Thanks in Advance,
Eric



DDS (Ver_09-12-01.01) - NTFSX64
Run by Eric at 11:40:27.80 on Thu 12/31/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8186.5617 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\NCSoft\Launcher\NCLauncher.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\WindowManager\WindowManager.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\WindowManager\WindowManager64.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Ideazon\ZEngine\Zboard.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Mozilla Firefox 3.6 Beta 5\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Eric\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files (x86)\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files (x86)\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Core Temp] "c:\users\eric\programs\core temp\Core Temp.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\x64\3\e_iaticfa.exe /fu "c:\users\eric\appdata\local\temp\E_SEB38.tmp" /EF "HKCU"
uRun: [igndlm.exe] c:\program files (x86)\download manager\DLM.exe /windowsstart /startifwork
uRun: [NCsoft Launcher] c:\program files (x86)\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DeathAdder] "c:\program files (x86)\razer\deathadder\razerhid.exe"
mRun: [Google Quick Search Box] "c:\program files (x86)\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Name of App] c:\program files (x86)\samsung\fw liveupdate\FWManager.exe r
mRun: [SteelSeries World of Warcraft MMO Gaming Mouse] "c:\program files (x86)\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe"
mRun: [VolPanel] "c:\program files (x86)\creative\volume panel\VolPanlu.exe" /r
mRun: [Zboard] c:\program files (x86)\ideazon\zengine\Zboard.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
dRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\x64\3\e_iaticfa.exe /fu "c:\windows\temp\E_SA340.tmp" /EF "HKCU"
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\program files (x86)\windowmanager\WindowManager.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15110/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\l25n0k9j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wow.curse.com/|http://www.nuiaddon.com/download.html|http://www.wowinterface.com/forums/forumdisplay.php?f=86|http://www.aionsource.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files (x86)\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox 3.6 beta 5\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [2009-12-28 154256]
R0 amdide64;amdide64;c:\windows\system32\drivers\amdide64.sys [2009-9-13 10632]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nisx64\1101000.013\SymDS64.sys [2009-11-28 433200]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1101000.013\SymEFA64.sys [2009-11-28 219184]
R1 BHDrvx64;BHDrvx64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20091205.001\BHDrvx64.sys [2009-12-4 668720]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1101000.013\cchpx64.sys [2009-11-28 615040]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20091217.002\IDSviA64.sys [2009-12-18 466992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nisx64\1101000.013\Ironx64.sys [2009-11-28 146992]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nisx64\1101000.013\symtdiv.sys [2009-11-28 450608]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-24 202752]
R2 NIS;Norton Internet Security.;c:\program files (x86)\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-11-28 126392]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-28 132656]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-12-12 12800]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-17 294400]
S1 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools64.sys [2009-9-21 38912]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x64.sys [2009-8-23 19432]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service\AL6Licensing.exe [2009-8-2 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-8-2 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
S3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-8-9 20608]

=============== Created Last 30 ================

2009-12-30 23:59:54 0 d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2009-12-30 23:59:50 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 23:59:50 0 d-----w- c:\programdata\Malwarebytes
2009-12-30 23:59:50 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2009-12-30 19:46:51 0 d-----w- c:\programdata\DeskSoft
2009-12-30 19:46:35 0 d-----w- c:\users\eric\appdata\roaming\DeskSoft
2009-12-30 19:46:35 0 d-----w- c:\program files (x86)\WindowManager
2009-12-30 05:31:26 737230072 ----a-w- c:\windows\MEMORY.DMP
2009-12-30 01:29:30 0 d-----w- c:\programdata\ATI
2009-12-30 01:25:36 0 d-----w- c:\program files (x86)\common files\ATI Technologies
2009-12-30 01:24:02 0 d-----w- c:\program files\ATI Technologies
2009-12-30 01:23:58 0 d-----w- c:\program files\ATI
2009-12-30 00:39:12 0 d-----w- c:\windows\syswow64\Adobe
2009-12-30 00:29:41 149280 ----a-w- c:\windows\syswow64\javaws.exe
2009-12-30 00:29:41 145184 ----a-w- c:\windows\syswow64\javaw.exe
2009-12-30 00:29:41 145184 ----a-w- c:\windows\syswow64\java.exe
2009-12-28 23:57:01 0 d-----w- c:\windows\Panther
2009-12-28 23:56:40 154256 ----a-r- c:\windows\system32\drivers\ahcix64s.sys
2009-12-28 23:49:52 0 d--h--w- C:\$WINDOWS.~Q
2009-12-28 23:47:14 0 d--h--w- C:\$INPLACE.~TR
2009-12-28 22:23:10 0 d-----w- c:\program files (x86)\Mozilla Firefox 3.6 Beta 5
2009-12-28 21:51:13 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-12-28 21:51:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-28 21:50:36 311808 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-28 21:50:36 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-12-28 21:36:42 20 --sh--w- c:\users\eric\ntuser.ini
2009-12-28 21:36:37 0 d-sh--w- C:\Recovery
2009-12-28 21:23:55 23356 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-28 21:06:28 743126 ----a-w- c:\windows\syswow64\PerfStringBackup.INI
2009-12-28 21:06:13 0 d-----w- c:\windows\syswow64\URTTEMP
2009-12-28 21:06:03 0 d-sh--w- c:\windows\Installer
2009-12-28 21:05:29 0 d-----w- c:\programdata\Creative
2009-12-28 21:05:28 102400 ----a-w- c:\windows\syswow64\cttele32.dll
2009-12-28 21:05:27 107008 ----a-w- c:\windows\system32\cttele64.dll
2009-12-28 21:05:25 0 d-----w- c:\programdata\EPSON
2009-12-28 21:05:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-12-28 21:05:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-28 21:02:42 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-28 21:02:27 89088 ----a-w- c:\windows\system32\CmdRtr64.DLL
2009-12-28 21:02:27 73728 ----a-w- c:\windows\syswow64\CmdRtr.DLL
2009-12-28 21:02:27 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-28 21:02:27 444952 ----a-w- c:\windows\syswow64\wrap_oal.dll
2009-12-28 21:02:27 190976 ----a-w- c:\windows\system32\APOMgr64.DLL
2009-12-28 21:02:27 159 ---ha-r- c:\windows\ctfile.rfc
2009-12-28 21:02:27 148480 ----a-w- c:\windows\syswow64\APOMngr.DLL
2009-12-28 21:02:27 121880 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-28 21:02:27 109080 ----a-w- c:\windows\syswow64\OpenAL32.dll
2009-12-28 21:02:27 0 d-----w- c:\program files (x86)\OpenAL
2009-12-28 21:02:18 0 d-----w- c:\windows\syswow64\data
2009-12-28 21:02:16 0 d-----w- c:\windows\system32\data
2009-12-28 21:01:38 8496 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2009-12-28 21:01:38 8496 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2009-12-28 21:01:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-28 19:45:08 1890 ----a-w- c:\windows\diagwrn.xml
2009-12-28 19:45:08 1890 ----a-w- c:\windows\diagerr.xml
2009-12-26 02:08:42 0 d-----w- c:\users\eric\appdata\roaming\Razer
2009-12-16 09:54:12 4764 ----a-w- c:\users\eric\.recently-used.xbel
2009-12-12 17:58:25 0 d-----w- c:\users\eric\appdata\roaming\SteelSeries
2009-12-12 17:57:44 12800 ----a-w- c:\windows\system32\drivers\Mo3Fltr.sys
2009-12-12 17:57:41 0 d-----w- c:\program files (x86)\SteelSeries
2009-12-02 02:39:38 53296 ----a-r- c:\windows\system32\drivers\SymIMV.sys

==================== Find3M ====================

2009-12-30 00:29:35 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2009-11-28 23:40:12 854 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.INF
2009-11-28 23:40:12 7440 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.CAT
2009-11-28 23:40:12 173104 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2009-11-26 22:01:29 4876 ----a-w- c:\windows\syswow64\FilterData.dat
2009-11-25 03:52:14 6174720 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2009-11-25 03:18:02 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:17:52 446976 ----a-w- c:\windows\system32\atieclxx.exe
2009-11-25 03:17:16 202752 ----a-w- c:\windows\system32\atiesrxx.exe
2009-11-25 03:15:54 120320 ----a-w- c:\windows\system32\atitmm64.dll
2009-11-25 03:15:36 421376 ----a-w- c:\windows\system32\atipdl64.dll
2009-11-25 03:15:28 356352 ----a-w- c:\windows\syswow64\atipdlxx.dll
2009-11-25 03:15:14 274432 ----a-w- c:\windows\syswow64\Oemdspif.dll
2009-11-25 03:15:06 12288 ----a-w- c:\windows\system32\atimuixx.dll
2009-11-25 03:15:02 59392 ----a-w- c:\windows\system32\atiedu64.dll
2009-11-25 03:14:58 43520 ----a-w- c:\windows\syswow64\ati2edxx.dll
2009-11-25 03:12:12 3055616 ----a-w- c:\windows\syswow64\atidxx32.dll
2009-11-25 03:04:30 3661824 ----a-w- c:\windows\system32\atidxx64.dll
2009-11-25 03:02:20 17625088 ----a-w- c:\windows\system32\atio6axx.dll
2009-11-25 02:55:58 3617792 ----a-w- c:\windows\syswow64\atiumdag.dll
2009-11-25 02:50:14 4683776 ----a-w- c:\windows\system32\atiumd64.dll
2009-11-25 02:44:56 13487616 ----a-w- c:\windows\syswow64\atioglxx.dll
2009-11-25 02:43:54 2601984 ----a-w- c:\windows\system32\atiumd6a.dll
2009-11-25 02:37:58 2899968 ----a-w- c:\windows\syswow64\atiumdva.dll
2009-11-25 02:25:46 53248 ----a-w- c:\windows\system32\atimpc64.dll
2009-11-25 02:25:46 53248 ----a-w- c:\windows\system32\amdpcom64.dll
2009-11-25 02:25:38 52224 ----a-w- c:\windows\syswow64\atimpc32.dll
2009-11-25 02:25:38 52224 ----a-w- c:\windows\syswow64\amdpcom32.dll
2009-11-25 02:25:16 312320 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:25:08 225280 ----a-w- c:\windows\syswow64\atiadlxy.dll
2009-11-25 02:21:54 43008 ----a-w- c:\windows\system32\aticalrt64.dll
2009-11-25 02:21:52 53248 ----a-w- c:\windows\syswow64\aticalrt.dll
2009-11-25 02:21:38 39936 ----a-w- c:\windows\system32\aticalcl64.dll
2009-11-25 02:21:36 53248 ----a-w- c:\windows\syswow64\aticalcl.dll
2009-11-25 02:21:24 4740096 ----a-w- c:\windows\system32\aticaldd64.dll
2009-11-25 02:20:26 3629056 ----a-w- c:\windows\syswow64\aticaldd.dll
2009-11-25 02:10:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-19 07:22:46 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-11-19 07:22:46 5958656 ----a-w- c:\windows\syswow64\mshtml.dll
2009-11-17 22:01:20 294400 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2009-11-16 08:13:26 271360 ----a-w- c:\windows\system32\drivers\Rtlh64.sys
2009-11-12 12:24:34 97792 ----a-w- c:\windows\system32\RTNUninst64.dll
2009-11-06 08:58:34 499712 ----a-w- c:\windows\syswow64\msvcp71.dll
2009-11-06 08:58:34 348160 ----a-w- c:\windows\syswow64\msvcr71.dll
2009-10-22 15:59:00 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:40:38.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:38 AM

Posted 09 January 2010 - 03:04 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 emccormack

emccormack
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 11 January 2010 - 05:15 PM

Hi thank you for the response, I am not sure wither or not the computer is infected. My world of warcraft account was hacked aw well as my email address though I have regained access to both I would appreciate it if some one could check the logs for anything suspicious. I have always used Norton Internet Security to scan and protect my computer, along with keeping windows up to date. Since the hack happened I have also installed Spyware Blaster and Spybot. I have also used Malwarebytes to scan the computer, everything has come up empty. I do not share account information or passwords with anyone, I am careful about the websites I visit , and no one except me has access to the computer so I am a little confused as to how all this has come to happen. So at this point I have turned to you in hopes that you can either a) help me find whatever keylogger or whatever has wormed it's way into the computer or :( tell me I'm out of my mind the computer is clean and that the hack happened through brute force or something. As a side note when I run the GMER program at first it errors saying "C:/windows/system32/config/system the system cannot find the file specified". I was able to click ok and run the scan anyway. After the scan it reports that no system modifications have been found, there is no further information clicking save produces an empty log. I am going to retry the Gmer in safe mode and will post with my results. In the meantime I have included the logs from DDS you asked for, if you require any other information just let me know and I will provide you with whatever you need. Thank you again for your time and any help you can offer.

Eric


DDS (Ver_09-12-01.01) - NTFSX64
Run by Eric at 16:06:28.18 on Mon 01/11/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8186.5355 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\NCSoft\Launcher\NCLauncher.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\WindowManager\WindowManager.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Ideazon\ZEngine\Zboard.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Razer\Lycosa\razerhid.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Razer\Lycosa\razertra.exe
C:\Program Files (x86)\WindowManager\WindowManager64.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox 3.6 Beta 5\firefox.exe
C:\Windows\splwow64.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Eric\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~2\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files (x86)\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files (x86)\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Core Temp] "c:\users\eric\programs\core temp\Core Temp.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\x64\3\e_iaticfa.exe /fu "c:\users\eric\appdata\local\temp\E_SEB38.tmp" /EF "HKCU"
uRun: [igndlm.exe] c:\program files (x86)\download manager\DLM.exe /windowsstart /startifwork
uRun: [NCsoft Launcher] c:\program files (x86)\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DeathAdder] "c:\program files (x86)\razer\deathadder\razerhid.exe"
mRun: [Google Quick Search Box] "c:\program files (x86)\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Name of App] c:\program files (x86)\samsung\fw liveupdate\FWManager.exe r
mRun: [SteelSeries World of Warcraft MMO Gaming Mouse] "c:\program files (x86)\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe"
mRun: [VolPanel] "c:\program files (x86)\creative\volume panel\VolPanlu.exe" /r
mRun: [Zboard] c:\program files (x86)\ideazon\zengine\Zboard.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Lycosa] "c:\program files (x86)\razer\lycosa\razerhid.exe"
dRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\x64\3\e_iaticfa.exe /fu "c:\windows\temp\E_SA340.tmp" /EF "HKCU"
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\program files (x86)\windowmanager\WindowManager.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~2\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15110/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\l25n0k9j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wow.curse.com/|http://www.nuiaddon.com/download.html|http://www.wowinterface.com/forums/forumdisplay.php?f=86|http://www.aionsource.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files (x86)\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox 3.6 beta 5\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox 3.6 beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [2009-12-28 154256]
R0 amdide64;amdide64;c:\windows\system32\drivers\amdide64.sys [2009-9-13 10632]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nisx64\1101000.013\SymDS64.sys [2009-11-28 433200]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1101000.013\SymEFA64.sys [2009-11-28 219184]
R1 BHDrvx64;BHDrvx64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20091205.001\BHDrvx64.sys [2009-12-4 668720]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1101000.013\cchpx64.sys [2009-11-28 615040]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100106.001\IDSviA64.sys [2010-1-8 466992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nisx64\1101000.013\Ironx64.sys [2009-11-28 146992]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nisx64\1101000.013\symtdiv.sys [2009-11-28 450608]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-24 202752]
R2 NIS;Norton Internet Security.;c:\program files (x86)\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-11-28 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2009-12-31 1153368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 12672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-28 132656]
R3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-12-31 20352]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-12-12 12800]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-17 294400]
S1 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools64.sys [2009-9-21 38912]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x64.sys [2009-8-23 19432]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service\AL6Licensing.exe [2009-8-2 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-8-2 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-31 25832]

=============== Created Last 30 ================

2010-01-08 06:02:33 200704 ----a-w- c:\windows\syswow64\ssleay32.dll
2010-01-08 06:02:33 200704 ----a-w- c:\windows\syswow64\libssl32.dll
2010-01-08 06:02:33 1017344 ----a-w- c:\windows\syswow64\libeay32.dll
2010-01-08 06:02:33 0 d-----w- C:\OpenSSL
2010-01-01 02:24:10 0 d-----w- c:\programdata\BioWare
2010-01-01 02:13:59 0 d-----w- c:\programdata\Razer
2010-01-01 02:13:13 20352 ----a-w- c:\windows\system32\drivers\Lycosa.sys
2010-01-01 02:13:12 65536 ----a-w- c:\windows\syswow64\Lycosa.cpl
2010-01-01 02:06:20 0 d-----w- c:\windows\syswow64\AGEIA
2010-01-01 01:52:08 0 d-----w- c:\program files (x86)\Dragon Age
2010-01-01 01:52:08 0 d-----w- c:\program files (x86)\common files\BioWare
2010-01-01 01:48:59 2222800 ----a-w- c:\windows\syswow64\d3dx9_24.dll
2009-12-31 17:58:01 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 17:58:01 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2009-12-31 17:21:40 0 d---a-w- c:\programdata\TEMP
2009-12-31 17:21:36 118784 ----a-w- c:\windows\syswow64\MSSTDFMT.DLL
2009-12-31 17:21:36 1071088 ----a-w- c:\windows\syswow64\MSCOMCTL.OCX
2009-12-31 17:21:35 0 d-----w- c:\program files (x86)\SpywareBlaster
2009-12-30 23:59:54 0 d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2009-12-30 23:59:50 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 23:59:50 0 d-----w- c:\programdata\Malwarebytes
2009-12-30 23:59:50 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2009-12-30 19:46:51 0 d-----w- c:\programdata\DeskSoft
2009-12-30 19:46:35 0 d-----w- c:\users\eric\appdata\roaming\DeskSoft
2009-12-30 19:46:35 0 d-----w- c:\program files (x86)\WindowManager
2009-12-30 05:31:26 737230072 ----a-w- c:\windows\MEMORY.DMP
2009-12-30 01:29:30 0 d-----w- c:\programdata\ATI
2009-12-30 01:25:36 0 d-----w- c:\program files (x86)\common files\ATI Technologies
2009-12-30 01:24:02 0 d-----w- c:\program files\ATI Technologies
2009-12-30 01:23:58 0 d-----w- c:\program files\ATI
2009-12-30 00:39:12 0 d-----w- c:\windows\syswow64\Adobe
2009-12-30 00:29:41 149280 ----a-w- c:\windows\syswow64\javaws.exe
2009-12-30 00:29:41 145184 ----a-w- c:\windows\syswow64\javaw.exe
2009-12-30 00:29:41 145184 ----a-w- c:\windows\syswow64\java.exe
2009-12-28 23:57:01 0 d-----w- c:\windows\Panther
2009-12-28 23:56:40 154256 ----a-r- c:\windows\system32\drivers\ahcix64s.sys
2009-12-28 23:49:52 0 d--h--w- C:\$WINDOWS.~Q
2009-12-28 23:47:14 0 d--h--w- C:\$INPLACE.~TR
2009-12-28 22:23:10 0 d-----w- c:\program files (x86)\Mozilla Firefox 3.6 Beta 5
2009-12-28 21:51:13 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-12-28 21:51:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-28 21:50:36 311808 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-28 21:50:36 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-12-28 21:36:42 20 --sh--w- c:\users\eric\ntuser.ini
2009-12-28 21:36:37 0 d-sh--w- C:\Recovery
2009-12-28 21:23:55 23356 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-28 21:06:28 743126 ----a-w- c:\windows\syswow64\PerfStringBackup.INI
2009-12-28 21:06:13 0 d-----w- c:\windows\syswow64\URTTEMP
2009-12-28 21:06:03 0 d-sh--w- c:\windows\Installer
2009-12-28 21:05:29 0 d-----w- c:\programdata\Creative
2009-12-28 21:05:28 102400 ----a-w- c:\windows\syswow64\cttele32.dll
2009-12-28 21:05:27 107008 ----a-w- c:\windows\system32\cttele64.dll
2009-12-28 21:05:25 0 d-----w- c:\programdata\EPSON
2009-12-28 21:05:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-12-28 21:05:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-28 21:02:42 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-28 21:02:27 89088 ----a-w- c:\windows\system32\CmdRtr64.DLL
2009-12-28 21:02:27 73728 ----a-w- c:\windows\syswow64\CmdRtr.DLL
2009-12-28 21:02:27 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-28 21:02:27 444952 ----a-w- c:\windows\syswow64\wrap_oal.dll
2009-12-28 21:02:27 190976 ----a-w- c:\windows\system32\APOMgr64.DLL
2009-12-28 21:02:27 159 ---ha-r- c:\windows\ctfile.rfc
2009-12-28 21:02:27 148480 ----a-w- c:\windows\syswow64\APOMngr.DLL
2009-12-28 21:02:27 121880 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-28 21:02:27 109080 ----a-w- c:\windows\syswow64\OpenAL32.dll
2009-12-28 21:02:27 0 d-----w- c:\program files (x86)\OpenAL
2009-12-28 21:02:18 0 d-----w- c:\windows\syswow64\data
2009-12-28 21:02:16 0 d-----w- c:\windows\system32\data
2009-12-28 21:01:38 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2009-12-28 21:01:38 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2009-12-28 21:01:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-28 19:45:08 1890 ----a-w- c:\windows\diagwrn.xml
2009-12-28 19:45:08 1890 ----a-w- c:\windows\diagerr.xml
2009-12-26 02:08:42 0 d-----w- c:\users\eric\appdata\roaming\Razer
2009-12-16 09:54:12 4764 ----a-w- c:\users\eric\.recently-used.xbel

==================== Find3M ====================

2009-12-30 00:29:35 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2009-11-28 23:40:12 854 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.INF
2009-11-28 23:40:12 7440 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.CAT
2009-11-28 23:40:12 173104 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2009-11-26 22:01:29 4876 ----a-w- c:\windows\syswow64\FilterData.dat
2009-11-25 03:52:14 6174720 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2009-11-25 03:18:02 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:17:52 446976 ----a-w- c:\windows\system32\atieclxx.exe
2009-11-25 03:17:16 202752 ----a-w- c:\windows\system32\atiesrxx.exe
2009-11-25 03:15:54 120320 ----a-w- c:\windows\system32\atitmm64.dll
2009-11-25 03:15:36 421376 ----a-w- c:\windows\system32\atipdl64.dll
2009-11-25 03:15:28 356352 ----a-w- c:\windows\syswow64\atipdlxx.dll
2009-11-25 03:15:14 274432 ----a-w- c:\windows\syswow64\Oemdspif.dll
2009-11-25 03:15:06 12288 ----a-w- c:\windows\system32\atimuixx.dll
2009-11-25 03:15:02 59392 ----a-w- c:\windows\system32\atiedu64.dll
2009-11-25 03:14:58 43520 ----a-w- c:\windows\syswow64\ati2edxx.dll
2009-11-25 03:12:12 3055616 ----a-w- c:\windows\syswow64\atidxx32.dll
2009-11-25 03:04:30 3661824 ----a-w- c:\windows\system32\atidxx64.dll
2009-11-25 03:02:20 17625088 ----a-w- c:\windows\system32\atio6axx.dll
2009-11-25 02:55:58 3617792 ----a-w- c:\windows\syswow64\atiumdag.dll
2009-11-25 02:50:14 4683776 ----a-w- c:\windows\system32\atiumd64.dll
2009-11-25 02:44:56 13487616 ----a-w- c:\windows\syswow64\atioglxx.dll
2009-11-25 02:43:54 2601984 ----a-w- c:\windows\system32\atiumd6a.dll
2009-11-25 02:37:58 2899968 ----a-w- c:\windows\syswow64\atiumdva.dll
2009-11-25 02:25:46 53248 ----a-w- c:\windows\system32\atimpc64.dll
2009-11-25 02:25:46 53248 ----a-w- c:\windows\system32\amdpcom64.dll
2009-11-25 02:25:38 52224 ----a-w- c:\windows\syswow64\atimpc32.dll
2009-11-25 02:25:38 52224 ----a-w- c:\windows\syswow64\amdpcom32.dll
2009-11-25 02:25:16 312320 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:25:08 225280 ----a-w- c:\windows\syswow64\atiadlxy.dll
2009-11-25 02:21:54 43008 ----a-w- c:\windows\system32\aticalrt64.dll
2009-11-25 02:21:52 53248 ----a-w- c:\windows\syswow64\aticalrt.dll
2009-11-25 02:21:38 39936 ----a-w- c:\windows\system32\aticalcl64.dll
2009-11-25 02:21:36 53248 ----a-w- c:\windows\syswow64\aticalcl.dll
2009-11-25 02:21:24 4740096 ----a-w- c:\windows\system32\aticaldd64.dll
2009-11-25 02:20:26 3629056 ----a-w- c:\windows\syswow64\aticaldd.dll
2009-11-25 02:10:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-19 07:22:46 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-11-19 07:22:46 5958656 ----a-w- c:\windows\syswow64\mshtml.dll
2009-11-17 22:01:20 294400 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2009-11-16 08:13:26 271360 ----a-w- c:\windows\system32\drivers\Rtlh64.sys
2009-11-12 12:24:34 97792 ----a-w- c:\windows\system32\RTNUninst64.dll
2009-11-06 08:58:34 499712 ----a-w- c:\windows\syswow64\msvcp71.dll
2009-11-06 08:58:34 348160 ----a-w- c:\windows\syswow64\msvcr71.dll
2009-10-22 15:59:00 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:06:57.59 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/28/2009 4:36:39 PM
System Uptime: 1/8/2010 12:29:25 AM (88 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7376
Processor: AMD Phenom™ II X4 955 Processor | CPU 1 | 3600/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 562 GiB total, 300.905 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 34 GiB total, 34.089 GiB free.
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/28/2009 4:38:04 PM - Installed Creative Audio Control Panel
RP2: 12/28/2009 4:41:10 PM - Installed Creative Software AutoUpdate
RP3: 12/28/2009 4:48:43 PM - Windows Update
RP4: 12/29/2009 7:28:27 PM - Removed Java™ 6 Update 17
RP5: 12/29/2009 7:29:24 PM - Installed Java™ 6 Update 17
RP6: 12/29/2009 8:22:12 PM - Removed Razer Lycosa
RP7: 12/31/2009 8:48:30 PM - Installed DirectX
RP8: 12/31/2009 9:13:02 PM - Installed Razer Lycosa
RP9: 12/31/2009 9:13:29 PM - Device Driver Package Install: Razer Human Interface Devices
RP10: 1/8/2010 6:54:01 AM - Scheduled Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Aion
AMD DnD V1.0.19
ATI Catalyst Registration
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
CCleaner
Choice Guard
Compatibility Pack for the 2007 Office system
Creative ALchemy
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Smart Recorder
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
Creative WaveStudio 7
Crysis WARHEAD®
Crysis Wars®
Crysis®
Download Manager 2.3.9
Dragon Age: Origins
Driver Sweeper 2.0.5
Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.09.03.800
EA Download Manager
EPSON Scan
FW LiveUpdate
GameSpy Comrade
Gimp 2.6.2 Debug
Google Toolbar for Internet Explorer
HD Tune Pro 3.50
Java™ 6 Update 17
Junk Mail filter update
Last.fm 1.5.4.24567
LightScribe 1.8.15.1
Logitech Harmony Remote Software 7
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox (3.5.6)
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NCsoft Launcher
Nero 7 Essentials
neroxml
Norton Internet Security
Notepad++
NVIDIA PhysX
OpenAL
OpenSSL 0.9.8k Light (32-bit)
PC Wizard 2009.1.90
Razer DeathAdder™ Mouse
Razer Lycosa
Remote Control USB Driver
Runes of Magic
Skype web features
Skype™ 4.1
SoundFont Bank Manager
Spybot - Search & Destroy
SpywareBlaster 4.2
Stardock MyColors
System Requirements Lab
The Lord of the Rings Online™: Mines of Moria™ v02.01.03.4021
Volume Panel
Warcraft III
Warcraft III: All Products
Warhammer Online - Age of Reckoning
WebPAM
WindowManager
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Live Upload Tool
World of Warcraft
World of Warcraft MMO Gaming Mouse
Xfire (remove only)
XnView 1.96.1
Z Engine

==== Event Viewer Messages From Past Week ========

1/8/2010 12:30:29 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdTools
1/8/2010 12:28:09 AM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
1/4/2010 1:53:37 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer SEAN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A87B4F0D-9595-480B-8079-12130364362D}. The master browser is stopping or an election is being forced.

==== End Of File ===========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:38 AM

Posted 12 January 2010 - 09:48 AM

To be honest, I don't see anything wrong here. It is well possible that your account was hacked because you inadvertantly introduced your data (password/usernames/email) on a site that is not trustworthy or clicked a phishing link.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 emccormack

emccormack
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 13 January 2010 - 08:51 PM

Ok scan from ESET Online Scan came up empty. I appreciate your time, and well I am glad that the computer is ok it still bothers me that I haven't found the source of the problem. I am 100% sure I didn't respond to any phishing emails and am equally sure that I didn't enter my information into any unofficial sites, very odd.

Thank You again for your time,
Eric

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:38 AM

Posted 14 January 2010 - 05:21 AM

Hello emccormack,

I am sorry not to be able to clarify this for you. For now, please read the following advices and let me know if you have any more questions.

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:38 AM

Posted 22 January 2010 - 06:51 AM

Since the issue seems to be resolved, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users