Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Keylogger, WoW account "hacked"


  • Please log in to reply
4 replies to this topic

#1 nicholaiputan

nicholaiputan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 28 March 2010 - 12:30 PM

Hey folks. WoW account was hacked the day after I made it. I never entered my information into any fields other than the Battle.net ones that started my account. The GMer thing didn't work. I got an error on startup saying that some system file couldn't be found or something. That stuff at the bottom of the attach.txt freaked me out. I believe it was happening on my work network.

DDS (Ver_10-03-17.01) - NTFSX64
Run by Nick at 10:10:29.13 on Sun 03/28/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4091.2766 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\CSHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\x64\klwtblfs.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Nick\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
mLocal Page = c:\windows\syswow64\blank.htm
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files (x86)\ask.com\GenericAskToolbar.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files (x86)\ask.com\GenericAskToolbar.dll
uRun: [Steam] "c:\program files (x86)\steam\Steam.exe" -silent
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\DTLite.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [PWRISOVM.EXE] c:\program files (x86)\poweriso\PWRISOVM.EXE
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVP] "c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\users\nick\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files (x86)\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files (x86)\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~2\kasper~1\kasper~1\mzvkbd3.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\x64\klwtbbho.dll
BHO-X64: link filter bho - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

============= SERVICES / DRIVERS ===============

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 40464]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-4 69152]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-4 121936]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 27152]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-4 22096]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-2-4 63568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-11 40384]
R2 CSHelper;CopySafe Helper Service;c:\windows\syswow64\CSHelper.exe [2010-2-21 266240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-3-27 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-11 40384]
R3 CAXHWAZL;CAXHWAZL;c:\windows\system32\drivers\CAXHWAZL.sys [2006-10-19 296448]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 21008]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam_x64.sys [2008-3-13 27136]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-8-21 84512]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 17920]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x64.sys [2009-9-28 395264]
S2 AVP;Kaspersky Anti-Virus;c:\program files (x86)\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2010-3-12 1030600]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-10 19544]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1255736]

=============== Created Last 30 ================

2010-03-27 22:08:03 0 d-----w- c:\program files (x86)\ESET
2010-03-27 21:28:57 143387 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-27 21:28:57 104987 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-27 21:28:13 0 d-----w- c:\programdata\Kaspersky Lab
2010-03-27 21:28:13 0 d-----w- c:\program files (x86)\Kaspersky Lab
2010-03-27 21:26:55 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-03-27 20:30:06 0 d-----w- c:\users\nick\appdata\roaming\Malwarebytes
2010-03-27 20:30:02 0 d-----w- c:\programdata\Malwarebytes
2010-03-27 20:30:01 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 20:30:01 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-03-27 20:06:10 0 d-----w- c:\program files (x86)\Uniblue
2010-03-27 17:20:52 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-27 17:20:52 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-03-26 06:56:03 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment
2010-03-26 06:55:00 0 d-----w- c:\programdata\Blizzard
2010-03-26 04:52:50 0 d-----w- c:\programdata\Adobe
2010-03-26 04:40:16 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-26 04:00:23 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-26 03:49:30 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 18:35:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-03-24 02:52:26 0 d-----w- c:\windows\system32\appmgmt
2010-03-19 04:59:19 0 d-----w- c:\program files (x86)\CamStudio
2010-03-17 06:08:35 0 d-----w- c:\users\nick\appdata\roaming\ManyCam
2010-03-17 06:08:35 0 d-----w- c:\program files (x86)\ManyCam 2.4
2010-03-17 06:08:30 0 d-----w- c:\program files (x86)\Ask.com
2010-03-16 23:13:12 215128 ----a-w- c:\windows\syswow64\PnkBstrB.xtr
2010-03-16 22:27:37 215128 ----a-w- c:\windows\syswow64\PnkBstrB.exe
2010-03-16 22:27:32 75064 ----a-w- c:\windows\syswow64\PnkBstrA.exe
2010-03-16 22:27:32 2434856 ----a-w- c:\windows\syswow64\pbsvc_bc2.exe
2010-03-13 18:44:20 0 d-----w- c:\windows\syswow64\Adobe
2010-03-13 00:12:05 0 d-----w- c:\users\nick\appdata\roaming\Autodesk
2010-03-13 00:09:25 0 d-----w- c:\programdata\FLEXnet
2010-03-13 00:02:50 0 d-----w- c:\program files\common files\Macrovision Shared
2010-03-13 00:02:09 0 d-----w- c:\program files\common files\Autodesk Shared
2010-03-13 00:01:02 0 d-----w- c:\program files\Autodesk
2010-03-12 23:57:05 0 d-----w- c:\program files (x86)\common files\Macrovision Shared
2010-03-12 23:56:20 0 d-----w- c:\program files (x86)\common files\Autodesk Shared
2010-03-12 23:55:12 0 d-----w- c:\programdata\Autodesk
2010-03-12 23:54:49 0 d-----w- c:\program files (x86)\Autodesk
2010-03-12 23:37:16 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-12 23:36:55 0 d-----w- c:\program files (x86)\DAEMON Tools Lite
2010-03-12 23:36:26 0 d-----w- c:\users\nick\appdata\roaming\DAEMON Tools Lite
2010-03-12 23:36:12 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-03-12 23:26:03 540688 ----a-w- c:\windows\system32\d3dx10_39.dll
2010-03-12 23:26:03 467984 ----a-w- c:\windows\syswow64\d3dx10_39.dll
2010-03-12 23:26:03 1942552 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2010-03-12 23:26:03 1493528 ----a-w- c:\windows\syswow64\D3DCompiler_39.dll
2010-03-12 23:26:02 4992520 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-03-12 23:26:02 3851784 ----a-w- c:\windows\syswow64\D3DX9_39.dll
2010-03-11 22:03:36 0 d-----w- c:\program files (x86)\Microsoft Games
2010-03-10 23:39:45 0 d-----w- c:\program files\PeerBlock
2010-03-03 23:15:17 0 d-----w- c:\users\nick\appdata\roaming\Bioshock2
2010-03-03 23:14:55 0 d-sh--w- c:\programdata\SecuROM
2010-03-03 23:13:41 0 d-----w- c:\windows\syswow64\xlive
2010-03-03 23:13:41 0 d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2010-02-26 23:38:21 0 d-----w- c:\programdata\Yahoo!
2010-02-26 23:36:09 0 d-----w- c:\program files (x86)\Yahoo!

==================== Find3M ====================

2010-03-09 11:24:05 153184 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-03-09 11:08:56 63568 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-02-24 17:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 02:54:08 266240 ----a-w- c:\windows\syswow64\CSHelper.exe
2010-02-22 02:54:08 225280 ----a-w- c:\windows\syswow64\CSInstru.DLL
2010-02-16 21:40:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2010-02-12 07:48:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-02-11 18:53:57 38848 ----a-w- c:\windows\syswow64\avastSS.scr
2010-02-04 22:24:45 394752 ----a-w- c:\windows\system32\UCI64A41.dll
2010-02-04 22:24:44 668672 ----a-w- c:\windows\system32\drivers\CHDRT64.sys
2010-02-04 22:24:44 1738240 ----a-w- c:\windows\system32\CX64FP19.dll
2010-02-04 15:53:02 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-19 09:05:57 424960 ----a-w- c:\windows\system32\secproc.dll
2010-01-19 09:05:57 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-19 09:00:44 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-19 09:00:43 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-19 09:00:37 356352 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-19 09:00:37 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-12 05:48:00 499712 ----a-w- c:\windows\syswow64\msvcp71.dll
2010-01-12 05:48:00 348160 ----a-w- c:\windows\syswow64\msvcr71.dll
2010-01-11 07:12:38 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:11:05.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:08:46 PM

Posted 28 March 2010 - 01:53 PM

Hi nicholaiputan

Please visit the online Jotti Virus Scanner <--link
  • Click on button.
  • Copy and paste the following filepath in the box:

    c:\windows\system32\UCI64A41.dll

  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.


Please do the same for:

c:\windows\system32\drivers\CHDRT64.sys
c:\windows\system32\CX64FP19.dll

If you canít find the files maybe are hidden follow the How to show hidden files in Windows 7 Tutorial


#3 nicholaiputan

nicholaiputan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 28 March 2010 - 03:21 PM

Unable to find any. Even with hidden files showing.

#4 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:08:46 PM

Posted 28 March 2010 - 03:31 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


#5 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:08:46 PM

Posted 30 March 2010 - 09:24 AM

Hi nicholaiputan

Lets try again!

Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    c:\windows\system32\UCI64A41.dll

  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Please do the same for:

c:\windows\system32\drivers\CHDRT64.sys
c:\windows\system32\CX64FP19.dll


Don't forget the Sophos Anti-rootkit scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users