Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was hacked and trying to remove a Key logger


  • This topic is locked This topic is locked
4 replies to this topic

#1 hhgail

hhgail

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 15 March 2010 - 12:04 PM

This morning my WoW acct was hacked with a keylogger. I have that mess cleared up but I'm afraid to try to log in at WoW without removing the offending bugs.

Your help is greatly appreciated ant there's a McDonald's night on the town in it for ya!

Thanks
--Gail
****************************************************************************************************

DDS (Ver_09-12-01.01) - NTFSx86
Run by USER at 12:46:19.89 on Mon 03/15/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2353 [GMT -4:00]

AV: PC Tools AntiVirus 6.0.0.18 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\USER.USER-FE5805DFBA\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [vstwumlf] c:\documents and settings\user.user-fe5805dfba\local settings\application data\quhndq\smmjsysguard.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Lnixenuwiqinoqo] rundll32.exe "c:\windows\ewimucoroje.dll",Startup
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
LSA: Notification Packages = scecli detect.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: iexplore.exe - c:\windows\system32\ropfnqz.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user~1.use\applic~1\mozilla\firefox\profiles\omfun4dk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\user.user-fe5805dfba\application data\mozilla\firefox\profiles\omfun4dk.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {2EC940F3-DC0C-4CCC-8EE8-23D143CE3CE7} - c:\documents and settings\user.user-fe5805dfba\local settings\application data\{2EC940F3-DC0C-4CCC-8EE8-23D143CE3CE7}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-4 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-1-14 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-1-14 59664]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-4-4 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-4-4 826600]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-4-4 28560]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-1-14 33552]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-25 24652]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-03-15 15:04:37 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-15 15:04:01 66048 ----a-w- c:\windows\ieResetIcons.exe
2010-03-15 14:49:22 0 d-----w- c:\docume~1\user~1.use\applic~1\AVG8
2010-03-11 23:42:41 0 d-----w- c:\docume~1\user~1.use\applic~1\ShinyTales
2010-03-11 23:42:00 0 d-----w- c:\program files\Potion Bar
2010-03-11 00:37:20 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy3_Arctica
2010-03-11 00:35:16 0 d-----w- c:\program files\Farm Frenzy 3 Ice Age
2010-03-10 00:03:49 0 d-----w- c:\docume~1\user~1.use\applic~1\SprillRichiEng
2010-03-10 00:02:08 0 d-----w- c:\program files\Sprill & Ritchie Adventures in Time
2010-03-09 01:28:22 0 d-----w- c:\docume~1\user~1.use\applic~1\iMaxGen
2010-03-09 01:21:36 0 d-----w- c:\program files\Jane Angel Templar Mystery
2010-03-05 14:46:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Cateia Games
2010-03-05 14:45:19 0 d-----w- c:\program files\Shaman Odyssey Tropic Adventure
2010-03-03 23:26:47 0 d-----w- c:\program files\Hidden Identity - Chicago Blackout
2010-03-01 23:21:05 0 d-----w- c:\program files\Youda Legend The Golden Bird of Paradise
2010-02-27 17:20:30 0 ----a-w- c:\windows\Ihodilowadila.bin
2010-02-27 17:20:29 120 ----a-w- c:\windows\Hpamacolalocupu.dat
2010-02-27 15:10:40 0 d-----w- c:\program files\Azada
2010-02-26 22:36:22 0 d-----w- c:\docume~1\user~1.use\applic~1\Big Fish Games
2010-02-26 22:35:24 0 d-----w- c:\program files\Azada Ancient Magic
2010-02-25 23:33:03 0 d-----w- c:\program files\Alices Tea Cup Madness
2010-02-25 03:26:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Nevosoft
2010-02-25 03:24:18 0 d-----w- c:\program files\Escape From Lost Island
2010-02-23 17:05:19 0 d-----w- c:\program files\Amazonia
2010-02-22 23:11:30 0 d-----w- c:\docume~1\alluse~1\applic~1\DivoGames
2010-02-22 23:05:21 0 d-----w- c:\program files\Be Rich
2010-02-21 20:43:35 0 d-----w- c:\docume~1\user~1.use\applic~1\Sony Online Entertainment
2010-02-20 11:24:16 0 d-----w- c:\docume~1\user~1.use\applic~1\PMC
2010-02-20 02:44:00 0 d-----w- c:\docume~1\user~1.use\applic~1\Artogon
2010-02-20 02:42:56 0 d-----w- c:\program files\Treasure Seekers The Enchanted Canvases
2010-02-19 14:06:18 0 d-----w- c:\documents and settings\user.user-fe5805dfba\Reflexive
2010-02-19 14:04:59 0 d-----w- c:\program files\The Dracula Files
2010-02-18 16:46:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Zylom
2010-02-18 16:45:32 0 d-----w- c:\program files\Delicious 2 Deluxe
2010-02-17 20:54:15 0 d-----w- c:\program files\Jewel Quest Heritage
2010-02-17 00:08:44 0 d-----w- c:\program files\Leeloos Talent Agency
2010-02-16 13:53:59 0 d-----w- c:\program files\Costume Chaos
2010-02-16 05:29:37 0 d-----w- c:\docume~1\user~1.use\applic~1\Ludia
2010-02-16 05:29:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Ludia
2010-02-16 05:28:26 0 d-----w- c:\program files\Hells Kitchen
2010-02-15 23:41:49 0 d-----w- c:\program files\Shutter Island

==================== Find3M ====================

2010-03-15 15:20:40 1536 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-14 23:08:30 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-01-14 23:08:29 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-01-14 23:08:28 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-01-06 23:04:44 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-06 23:04:44 24576 ----a-w- c:\windows\system32\0019.DLL
2009-12-28 15:06:32 5196 ----a-w- c:\windows\system32\7b7zs95rse2468.bin
2009-12-27 04:41:22 14426 ----a-w- c:\windows\6zf3ba9k5oor1605.dll
2009-12-26 15:27:46 5646 ----a-w- c:\windows\939spyware2725z.bin
2009-12-22 00:00:58 7196 ----a-w- c:\windows\424fbazkdoo99285.exe
2009-12-21 22:42:53 4094 ----a-w- c:\windows\91615zy663.bin
2009-12-20 00:46:08 4385 ----a-w- c:\windows\5z6adown5o9der1359.bin
2009-12-16 14:06:12 12228 ----a-w- c:\windows\system32\5c8bzckd5o9214.bin
2008-08-24 23:22:15 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe

============= FINISH: 12:48:29.85 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:29 AM

Posted 15 March 2010 - 04:09 PM

Good evening. smile.gif

Will you follow steps 6, 7 and 8 here and post the relevant results into this thread.

So long, and thanks for all the fish.

 

 


#3 hhgail

hhgail
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 15 March 2010 - 05:28 PM

Here is step that you requested.
Again thanks for your help.
--Gail

****************************************************************************************************
DDS (Ver_09-12-01.01) - NTFSx86
Run by USER at 18:04:06.71 on Mon 03/15/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2019 [GMT -4:00]

AV: PC Tools AntiVirus 6.0.0.18 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USER.USER-FE5805DFBA\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [vstwumlf] c:\documents and settings\user.user-fe5805dfba\local settings\application data\quhndq\smmjsysguard.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Lnixenuwiqinoqo] rundll32.exe "c:\windows\ewimucoroje.dll",Startup
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
LSA: Notification Packages = scecli detect.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: iexplore.exe - c:\windows\system32\ropfnqz.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user~1.use\applic~1\mozilla\firefox\profiles\omfun4dk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\user.user-fe5805dfba\application data\mozilla\firefox\profiles\omfun4dk.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {2EC940F3-DC0C-4CCC-8EE8-23D143CE3CE7} - c:\documents and settings\user.user-fe5805dfba\local settings\application data\{2EC940F3-DC0C-4CCC-8EE8-23D143CE3CE7}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-4 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-1-14 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-1-14 59664]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-4-4 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-4-4 826600]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-4-4 28560]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-1-14 33552]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-25 24652]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-03-15 22:03:22 0 ----a-w- c:\documents and settings\user.user-fe5805dfba\defogger_reenable
2010-03-15 17:50:46 0 d-----w- c:\program files\common files\Scanner
2010-03-15 17:50:42 0 d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-03-15 15:04:37 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-15 15:04:01 66048 ----a-w- c:\windows\ieResetIcons.exe
2010-03-15 14:49:22 0 d-----w- c:\docume~1\user~1.use\applic~1\AVG8
2010-03-11 23:42:41 0 d-----w- c:\docume~1\user~1.use\applic~1\ShinyTales
2010-03-11 23:42:00 0 d-----w- c:\program files\Potion Bar
2010-03-11 00:37:20 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy3_Arctica
2010-03-11 00:35:16 0 d-----w- c:\program files\Farm Frenzy 3 Ice Age
2010-03-10 00:03:49 0 d-----w- c:\docume~1\user~1.use\applic~1\SprillRichiEng
2010-03-10 00:02:08 0 d-----w- c:\program files\Sprill & Ritchie Adventures in Time
2010-03-09 01:28:22 0 d-----w- c:\docume~1\user~1.use\applic~1\iMaxGen
2010-03-09 01:21:36 0 d-----w- c:\program files\Jane Angel Templar Mystery
2010-03-05 14:46:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Cateia Games
2010-03-05 14:45:19 0 d-----w- c:\program files\Shaman Odyssey Tropic Adventure
2010-03-03 23:26:47 0 d-----w- c:\program files\Hidden Identity - Chicago Blackout
2010-03-01 23:21:05 0 d-----w- c:\program files\Youda Legend The Golden Bird of Paradise
2010-02-27 17:20:30 0 ----a-w- c:\windows\Ihodilowadila.bin
2010-02-27 17:20:29 120 ----a-w- c:\windows\Hpamacolalocupu.dat
2010-02-27 15:10:40 0 d-----w- c:\program files\Azada
2010-02-26 22:36:22 0 d-----w- c:\docume~1\user~1.use\applic~1\Big Fish Games
2010-02-26 22:35:24 0 d-----w- c:\program files\Azada Ancient Magic
2010-02-25 23:33:03 0 d-----w- c:\program files\Alices Tea Cup Madness
2010-02-25 03:26:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Nevosoft
2010-02-25 03:24:18 0 d-----w- c:\program files\Escape From Lost Island
2010-02-23 17:05:19 0 d-----w- c:\program files\Amazonia
2010-02-22 23:11:30 0 d-----w- c:\docume~1\alluse~1\applic~1\DivoGames
2010-02-22 23:05:21 0 d-----w- c:\program files\Be Rich
2010-02-21 20:43:35 0 d-----w- c:\docume~1\user~1.use\applic~1\Sony Online Entertainment
2010-02-20 11:24:16 0 d-----w- c:\docume~1\user~1.use\applic~1\PMC
2010-02-20 02:44:00 0 d-----w- c:\docume~1\user~1.use\applic~1\Artogon
2010-02-20 02:42:56 0 d-----w- c:\program files\Treasure Seekers The Enchanted Canvases
2010-02-19 14:06:18 0 d-----w- c:\documents and settings\user.user-fe5805dfba\Reflexive
2010-02-19 14:04:59 0 d-----w- c:\program files\The Dracula Files
2010-02-18 16:46:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Zylom
2010-02-18 16:45:32 0 d-----w- c:\program files\Delicious 2 Deluxe
2010-02-17 20:54:15 0 d-----w- c:\program files\Jewel Quest Heritage
2010-02-17 00:08:44 0 d-----w- c:\program files\Leeloos Talent Agency
2010-02-16 13:53:59 0 d-----w- c:\program files\Costume Chaos
2010-02-16 05:29:37 0 d-----w- c:\docume~1\user~1.use\applic~1\Ludia
2010-02-16 05:29:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Ludia
2010-02-16 05:28:26 0 d-----w- c:\program files\Hells Kitchen
2010-02-15 23:41:49 0 d-----w- c:\program files\Shutter Island

==================== Find3M ====================

2010-03-15 15:20:40 1536 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-14 23:08:30 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-01-14 23:08:29 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-01-14 23:08:28 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-01-06 23:04:44 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-06 23:04:44 24576 ----a-w- c:\windows\system32\0019.DLL
2009-12-28 15:06:32 5196 ----a-w- c:\windows\system32\7b7zs95rse2468.bin
2009-12-27 04:41:22 14426 ----a-w- c:\windows\6zf3ba9k5oor1605.dll
2009-12-26 15:27:46 5646 ----a-w- c:\windows\939spyware2725z.bin
2009-12-22 00:00:58 7196 ----a-w- c:\windows\424fbazkdoo99285.exe
2009-12-21 22:42:53 4094 ----a-w- c:\windows\91615zy663.bin
2009-12-20 00:46:08 4385 ----a-w- c:\windows\5z6adown5o9der1359.bin
2009-12-16 14:06:12 12228 ----a-w- c:\windows\system32\5c8bzckd5o9214.bin
2008-08-24 23:22:15 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe

============= FINISH: 18:06:05.34 ===

****************************************************************************************************

I have downloaded the GMER file twice, once from each link, and can not get it to run.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:29 AM

Posted 16 March 2010 - 03:57 PM

Good evening. smile.gif

Apologies for having you run DDS again. Habit made me include that step number when I just wanted you to run Defogger and then GMER - old age creeping up on me, i'm afraid! Given that you can't get GMER to run, will you try this instead:

Download RootRepeal from one of the locations below and save it to your Desktop:
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish
  • Double click RootRepeal.exe to fire up the tool and OK any Windows confirmations if necessary.
  • Ensure that the Report Tab is selected at the bottom.
  • Click the Scan button, check all the boxes in the window that appears and then click OK.
  • Check the box next to your main hard drive - usually C: and click OK
  • Put the kettle on and perhaps open a packet of biscuits - the scan will take some time.
  • Once the scan has completed a Notepad window will open with the results in.
  • These results will also be saved to the root of your main drive as \RootRepeal report date time.txt
Let me have a copy of the contents in your next reply.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:29 AM

Posted 22 March 2010 - 03:40 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users