Last scan pulled from log file.
Remaining issues:Object Name Threat Name Final Status
[System]=]HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{1D5C19A6-7D04-4F46-8A38-34CF3A6CD4FD}\1.0\0\WIN32\=]C:\PROGRA~1\DIGSTR~1\DIGSTR~1.EXE Trojan.Generic.419877 No action was possible
Resolved issues:Object Name Threat Name Final Status
C:\Program Files\DIGStream\digstream.exe Trojan.Generic.419877 Deleted
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP63\A0007976.exe Trojan.Generic.419877 Deleted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:40 AM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\BitDefender\BitDefender 2008\uiscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 7020 bytes
Kevin
Full Version: Trojan
I have since re-booted and re-ran full scan without finding any issues.
I will re-post if the Trojan shows again.
Kevin
I will re-post if the Trojan shows again.
Kevin
Please do this:
Can you please download combofix, you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.
Can you please download combofix, you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.
Ok, well since my last post Bitdefender has come up clean every day.
but today my World of Warcraft account got hacked.
So i ran the suggested instructions above for ComboFix
ComboFix 08-11-18.A2 - Kevin 2008-11-19 17:29:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2615 [GMT -7:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-12 03:00 . 2008-11-12 03:00 1,393 --a------ c:\windows\imsins.BAK
2008-11-11 22:19 . 2008-09-04 10:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 22:19 . 2008-10-24 04:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-30 06:50 . 2008-10-30 06:50 <DIR> d-------- c:\windows\Sun
2008-10-26 21:24 . 2008-10-26 21:24 <DIR> d-------- c:\program files\Paint.NET
2008-10-25 14:12 . 2008-10-25 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2008-10-23 12:57 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 17:44 . 2008-10-21 17:44 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-10-21 17:44 . 2008-10-21 17:44 <DIR> d-------- c:\program files\Google
2008-10-21 17:44 . 2008-04-07 16:16 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-10-21 17:44 . 2008-04-07 16:16 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-10-20 06:17 . 2008-04-13 11:45 26,368 --a------ c:\windows\system32\dllcache\usbstor.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 00:30 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-14 00:54 --------- d-----w c:\program files\World of Warcraft
2008-11-11 09:05 --------- d-----w c:\program files\DIGStream
2008-11-04 02:15 --------- d-----w c:\documents and settings\Kevin\Application Data\Ventrilo
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 21:23 --------- d-----w c:\program files\Ventrilo
2008-10-19 21:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-19 15:36 --------- d-----w c:\program files\Curse
2008-10-19 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-19 02:19 --------- d-----w c:\program files\Reference Assemblies
2008-10-19 02:19 --------- d-----w c:\program files\MSBuild
2008-10-19 00:37 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-18 22:50 --------- d-----w c:\program files\Trend Micro
2008-10-18 22:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-18 22:30 --------- d-----w c:\program files\Creative
2008-10-18 21:55 --------- d-----w c:\program files\CCleaner
2008-10-18 21:46 --------- d-----w c:\program files\Common Files\BitDefender
2008-10-18 21:46 --------- d-----w c:\program files\BitDefender
2008-10-18 21:46 --------- d-----w c:\documents and settings\Kevin\Application Data\Bitdefender
2008-10-18 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2008-10-18 21:39 --------- d-----w c:\program files\Dell
2008-10-18 21:37 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-18 21:28 --------- d--h--w c:\documents and settings\Kevin\Application Data\Gtek
2008-10-18 21:27 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-18 21:21 --------- d-----w c:\program files\Common Files\Intuit
2008-10-18 21:15 --------- d-----w c:\program files\Common Files\AOL
2008-10-18 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-18 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-10-18 21:13 --------- d-----w c:\program files\DellSupport
2008-10-18 21:12 --------- d-----w c:\documents and settings\Kevin\Application Data\McAfee.com Personal Firewall
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-09-24 00:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-18 16:44 2,302,017 ----a-w c:\windows\system32\GPhotos.scr
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-10 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-10 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-10-18 368640]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-10 24576]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\2caf0a8t.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 17:30:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-19 17:34:52
ComboFix-quarantined-files.txt 2008-11-20 00:34:48
ComboFix2.txt 2008-11-20 00:23:10
Pre-Run: 119,796,322,304 bytes free
Post-Run: 119,777,202,176 bytes free
160 --- E O F --- 2008-11-15 10:00:39
but today my World of Warcraft account got hacked.
So i ran the suggested instructions above for ComboFix
ComboFix 08-11-18.A2 - Kevin 2008-11-19 17:29:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2615 [GMT -7:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-12 03:00 . 2008-11-12 03:00 1,393 --a------ c:\windows\imsins.BAK
2008-11-11 22:19 . 2008-09-04 10:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 22:19 . 2008-10-24 04:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-30 06:50 . 2008-10-30 06:50 <DIR> d-------- c:\windows\Sun
2008-10-26 21:24 . 2008-10-26 21:24 <DIR> d-------- c:\program files\Paint.NET
2008-10-25 14:12 . 2008-10-25 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2008-10-23 12:57 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 17:44 . 2008-10-21 17:44 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-10-21 17:44 . 2008-10-21 17:44 <DIR> d-------- c:\program files\Google
2008-10-21 17:44 . 2008-04-07 16:16 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-10-21 17:44 . 2008-04-07 16:16 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-10-20 06:17 . 2008-04-13 11:45 26,368 --a------ c:\windows\system32\dllcache\usbstor.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 00:30 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-14 00:54 --------- d-----w c:\program files\World of Warcraft
2008-11-11 09:05 --------- d-----w c:\program files\DIGStream
2008-11-04 02:15 --------- d-----w c:\documents and settings\Kevin\Application Data\Ventrilo
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 21:23 --------- d-----w c:\program files\Ventrilo
2008-10-19 21:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-19 15:36 --------- d-----w c:\program files\Curse
2008-10-19 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-19 02:19 --------- d-----w c:\program files\Reference Assemblies
2008-10-19 02:19 --------- d-----w c:\program files\MSBuild
2008-10-19 00:37 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-18 22:50 --------- d-----w c:\program files\Trend Micro
2008-10-18 22:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-18 22:30 --------- d-----w c:\program files\Creative
2008-10-18 21:55 --------- d-----w c:\program files\CCleaner
2008-10-18 21:46 --------- d-----w c:\program files\Common Files\BitDefender
2008-10-18 21:46 --------- d-----w c:\program files\BitDefender
2008-10-18 21:46 --------- d-----w c:\documents and settings\Kevin\Application Data\Bitdefender
2008-10-18 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2008-10-18 21:39 --------- d-----w c:\program files\Dell
2008-10-18 21:37 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-18 21:28 --------- d--h--w c:\documents and settings\Kevin\Application Data\Gtek
2008-10-18 21:27 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-18 21:21 --------- d-----w c:\program files\Common Files\Intuit
2008-10-18 21:15 --------- d-----w c:\program files\Common Files\AOL
2008-10-18 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-18 21:14 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-10-18 21:13 --------- d-----w c:\program files\DellSupport
2008-10-18 21:12 --------- d-----w c:\documents and settings\Kevin\Application Data\McAfee.com Personal Firewall
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-09-24 00:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-18 16:44 2,302,017 ----a-w c:\windows\system32\GPhotos.scr
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-10 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-10 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-10-18 368640]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-10 24576]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\2caf0a8t.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 17:30:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-19 17:34:52
ComboFix-quarantined-files.txt 2008-11-20 00:34:48
ComboFix2.txt 2008-11-20 00:23:10
Pre-Run: 119,796,322,304 bytes free
Post-Run: 119,777,202,176 bytes free
160 --- E O F --- 2008-11-15 10:00:39
i analyzed your hijackthis log and you should scan again, and check the box right next to this :
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
and press fix
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
and press fix
QUOTE (VirusPING @ Nov 19 2008, 06:56 PM) 
i analyzed your hijackthis log and you should scan again, and check the box right next to this :
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
and press fix
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
and press fix
done.
are you still having problems?
QUOTE (VirusPING @ Nov 22 2008, 02:26 PM)
are you still having problems?
At this time everything seems ok.
thanks.
OK 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.