Account keeps getting hacked.

  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

I play World of Warcraft and two days ago I was hacked, I scanned my password and then reset my password. Unfortunately it didn't last long, today I was hacked.
I have no idea how to use Hijack This so if anyone could help me it would be greatly appreciated, I think I have a keylogger.
Thanks
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • SB
  • Moderator
  • Genius
  • User avatar
  • Posts: 8742
  • Loc: Aberdeen, Scotland

Post 3+ Months Ago

Here are a couple of topics that might be of interest to you...

mswindows-forum/highjackthis-and-spyware-removal-resources-and-tips-t31034.html

and...

mswindows-forum/steps-take-before-posting-your-hijack-this-log-t34568.html

Have a look at the information on these topics, if you are uncertain on how to fix the issues then there are alot of good members here who may be able to help you identify what you may want to remove from your system.

I hope this helps.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

I analyzed my log using a log analyzer at hijack dot de, most of it was ok I think but I found O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

Kind

Very safe
Very safe
It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

I'm not sure if its safe or not, also do you want me to post the full log?
Thanks
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

I was wondering if someone could analyze the log please.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:27:24 PM, on 10/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Adminstrator\Downloads\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovodotmsndotcom
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://godotmicrosoftdotcom/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovodotmsndotcom
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://godotmicrosoftdotcom/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://godotmicrosoftdotcom/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://godotmicrosoftdotcom/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://godotmicrosoftdotcom/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [IdeaNotesUser] C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
O4 - HKLM\..\Run: [AcWin7Hlpr] C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe /a
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4291226254-662787883-914340902-1001\..\Run: [Google Update] "C:\Users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'Noah')
O4 - HKUS\S-1-5-21-4291226254-662787883-914340902-1001\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Noah')
O4 - S-1-5-21-4291226254-662787883-914340902-1001 Startup: CurseClientStartup.ccip (User 'Noah')
O4 - S-1-5-21-4291226254-662787883-914340902-1001 User Startup: CurseClientStartup.ccip (User 'Noah')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C55955-4A19-4E48-A3B7-3E2B4036BF04}: NameServer = 10.53.32.1
O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
O23 - Service: AcSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

--
End of file - 11492 bytes


Thanks

EDIT: Forgot to add, I replaced some dots with "dot".
  • SB
  • Moderator
  • Genius
  • User avatar
  • Posts: 8742
  • Loc: Aberdeen, Scotland

Post 3+ Months Ago

What i will do is move this topic into the Windows forum as the Hijack this log is more appropriate for that forum. I will keep a shadow of the topic in the Security forum to increase any other traffic to the post in order to help sort this out for you.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

You'll have to forgive me but I'm an avid WoW player. You simply need to buy the authenticator and avoid the hack scams. Nothing personal but I bet you were following a bogus get gold quick link when you got hacked.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

I wasn't but I suspect a site I was on had an ad containing a keylogger, do you see one in my log? If so it would help a lot. Plus since I don't have a credit card I'd like to not get an authenticator unless I absolutely need to.

Thanks
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I don't see a keylogger in your log and if you want to continue to play WoW without the risk of getting hacked, you need the authenticator.
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

Whats the authenticator do? Is a strong password not good enough anymore?
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Ok thanks but see anything that would show how I was hacked?

And an authenticator makes a new password every time you login.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

The only thing I can see in your log that I would suggest removing is
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
It appears to be a deactivated browser helper object called Click-to-call which was part of Windows Live Messenger. Outside of that, I don't see any sign of a keylogger from that log. That is not to say that you don't have one, but hijackthis isn't showing one.

VirusOwnedMe wrote:
I wasn't but I suspect a site I was on had an ad containing a keylogger, do you see one in my log? If so it would help a lot. Plus since I don't have a credit card I'd like to not get an authenticator unless I absolutely need to.


Why do you suspect the site you were on had a keylogger?
Have you checked this page?
http://us.battle.net/en/security/theft
It may give you some ideas as to how your account may be getting hacked.

If you've gotten Blizzard to restore your account to you, I would recommend changing your password through blizzard.net. Also I see curse client running at startup, so I assume you are using a variety of addons. Malicious addons are a big reason why accounts get hacked. I would seriously take a good look at any addons you've recently downloaded and installed. If you do have a keylogger, you'll most likely find it in one of them.

And from what I have seen if you've been hacked once, then you're likely to get hacked again. So in my opinion, yes you absolutely need to get the authenticator. I know you said you don't have a credit card, but you have to be paying for the monthly service somehow. You should be able to get the authenticator by the same payment method you are using to pay your service fees.

Also, as a courtesy, if you are a member of a guild, I would talk to your guild owner or high ranking officer and let them know what's happened if you haven't already. It would also be a smart thing to remove yourself from the guild until you've resolved your account issues. One of the big reasons accounts get hacked is to rape the guild bank for gold.

To answer SpooF's question, yes normally strong password is enough to prevent your account from being hacked, but in the case of WoW there are just too many ways people can get duped into exposing themselves to malicious sites and activities. Especially if they are trying to get gold outside of normal game play. The authenticator is a security key that generates a random 6 digit number that must be entered at login in addition to your user ID and normal password. The key is associated with your account by serial number and the "random" numbers are unique to the key, hence making it virtually impossible for someone other than yourself to login to your account.
http://us.blizzard.com/store/details.xml?id=1100000822
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Ok a possibility is phishing emails and I'd like to change my battledotnet email but I forgot my Secret Answer is there any way to reset it other then mailing a form?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

not that I'm aware of.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Ok now I am a hundred percent sure that it's a keylogger since I was hacked a third time, my WoW account was not open at the login screen while having a browser open. I am running a Malwarebytes Scan at the moment and will post it and then will run a Hijack This log which I will also post after.

If my searches come up negative and no keylogger is found is the only possibility an authenticator?

Thanks
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

The authenticator is going to be your best assurance that you won't get hacked again, keylogger or no. Have you checked your addons like I suggested?

I would also recommend running a couple of other scans. Malwarebytes is a good tool, but it doesn't find a lot of stuff that others do.

Run the following scans:
CCleaner by Piriform This will clear out all of your temporary files from your system. A lot of viruses and up in temp folders.
Microsoft Malicious Software Removal Tool That's a very good tool for finding rootkits and backdoor trojans.
CombFix. The best malware removal tool I've found to date. Before running ComboFix, you may need to disable or uninstall any anti-virus software you are running as they will generally cause conflicts. Some AV software will even identify combofix as a virus due to the nature of how it runs. Read the instructions on How to use ComboFix before running it.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Ccleaner found some stuff, not sure if they provide logs though, anyways I was wondering about the authenticator will it 100% block the keylogger if I have one on my computer? Using Windows Malicious Removal at the moment.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

I was scanning my WoW Interface Folder (Addons) when I saw a file not in the Interface Folder but in the General Folder called "Microsoft.VC80.CRT" it's a manifest file and is 2 KB, could this possibly be a virus/trojan, etc.

I also have two csrss.exe running at the same time.

EDIT: I ran AdAware and it found Win32.Adware.Relevant/B Engine.

Here's the log:
Logfile created: 13/11/2010 11:56:34
Ad-Aware version: 8.3.5
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Noah

*********************** Definitions database information ***********************
Lavasoft definition file: 150.157
Genotype definition file version: 2010/11/10 15:16:47
Extended engine definition file: 7299.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 292178
Objects detected: 3


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 2
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0

Quarantined items:
Description: c:\users\noah\downloads\windows-7-dark.exe Family Name: Win32.Adware.Relevant/B Engine: 1 Clean status: Success Item ID: 0 Family ID: 0 MD5: 4375626001fdeb489616db05a76835ea

Scan and cleaning complete: Finished correctly after 8254 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\,Q:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Sat Nov 13 11:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Sat Nov 13 17:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Sat Nov 13 23:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Sat Nov 13 05:51:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Sat Nov 13 11:51:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: true
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: false
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: WADE
Processor name: Intel(R) Core(TM)2 Duo CPU T6570 @ 2.10GHz
Processor identifier: x86 Family 6 Model 23 Stepping 10
Processor speed: ~2094MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5898, number of processors 2, processor features: [MMX,SSE,SSE2,SSE3]
Physical memory available: 776810496 bytes
Physical memory total: 2005778432 bytes
Virtual memory available: 1838567424 bytes
Virtual memory total: 2147352576 bytes
Memory load: 61%
Microsoft (build 7600)
Windows startup mode:

Running processes:
PID: 388 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 544 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 588 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 612 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 648 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 672 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 680 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 768 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 824 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 944 name: C:\Windows\System32\ibmpmsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1000 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1116 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1152 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1184 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1316 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1420 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1576 name: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1584 name: C:\Windows\System32\wlanext.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1592 name: C:\Windows\System32\conhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2000 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2036 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 596 name: C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1240 name: C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1288 name: C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1480 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1544 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1932 name: C:\Program Files\Intel\WiFi\bin\EvtEng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1696 name: C:\Windows\MicrosoftdotNET\Framework\v3.0\WPF\PresentationFontCache.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2212 name: C:\Windows\System32\dwm.exe owner: Noah domain: Wade
PID: 2264 name: C:\Windows\System32\taskhost.exe owner: Noah domain: Wade
PID: 2328 name: C:\Windows\explorer.exe owner: Noah domain: Wade
PID: 2364 name: C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe owner: Noah domain: Wade
PID: 2440 name: C:\Program Files\Hotspot Shield\bin\openvpnas.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2464 name: C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2492 name: C:\Program Files\Hotspot Shield\bin\hsswd.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2528 name: C:\Program Files\Lenovo\HOTKEY\micmute.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2592 name: C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2680 name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2868 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2920 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2952 name: C:\Program Files\Lenovo\Access Connections\AcSvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3032 name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3608 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 3872 name: C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe owner: Noah domain: Wade
PID: 4028 name: C:\Windows\System32\WUDFHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2068 name: C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe owner: Noah domain: Wade
PID: 2980 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3628 name: C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe owner: Noah domain: Wade
PID: 1492 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4008 name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe owner: Noah domain: Wade
PID: 3920 name: C:\Program Files\Lenovo\ZOOM\TpScrex.exe owner: Noah domain: Wade
PID: 3992 name: C:\Windows\System32\TpShocks.exe owner: Noah domain: Wade
PID: 4332 name: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe owner: Noah domain: Wade
PID: 4344 name: C:\Windows\System32\hkcmd.exe owner: Noah domain: Wade
PID: 4356 name: C:\Windows\System32\igfxpers.exe owner: Noah domain: Wade
PID: 4468 name: C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4484 name: C:\Windows\System32\rundll32.exe owner: Noah domain: Wade
PID: 4500 name: C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe owner: Noah domain: Wade
PID: 4648 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4804 name: C:\Windows\System32\igfxsrvc.exe owner: Noah domain: Wade
PID: 4964 name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe owner: Noah domain: Wade
PID: 5264 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Noah domain: Wade
PID: 5292 name: C:\Program Files\Microsoft IntelliPoint\ipoint.exe owner: Noah domain: Wade
PID: 5408 name: C:\Program Files\Alwil Software\Avast5\AvastUI.exe owner: Noah domain: Wade
PID: 5568 name: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe owner: Noah domain: Wade
PID: 5596 name: C:\Program Files\KeyScrambler\KeyScrambler.exe owner: Noah domain: Wade
PID: 5728 name: C:\Program Files\Synaptics\SynTP\SynTPHelper.exe owner: Noah domain: Wade
PID: 5740 name: C:\Windows\System32\igfxext.exe owner: Noah domain: Wade
PID: 5752 name: C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe owner: Noah domain: Wade
PID: 2812 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 5500 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3536 name: C:\Windows\System32\taskeng.exe owner: Noah domain: Wade
PID: 3564 name: C:\Windows\System32\jusched.exe owner: Noah domain: Wade
PID: 2648 name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3344 name: C:\Program Files\Lenovo\System Update\SUService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 6064 name: C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5888 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4672 name: C:\Program Files\Windows Media Player\wmpnetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 5688 name: C:\Users\Noah\Desktop\windows-kb890830-v3.13.exe owner: Admin domain: Wade
PID: 2356 name: C:\15354adfb708822bf821a613d530\mrtstub.exe owner: Admin domain: Wade
PID: 1340 name: C:\Windows\System32\MRT.exe owner: Admin domain: Wade
PID: 3248 name: C:\Windows\System32\taskhost.exe owner: Noah domain: Wade
PID: 5616 name: C:\Program Files\Mozilla Firefox\firefox.exe owner: Noah domain: Wade
PID: 2084 name: C:\Windows\System32\msiexec.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5872 name: C:\Program Files\KeyScrambler\KeyScrambler.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5236 name: C:\Program Files\Hotspot Shield\bin\openvpntray.exe owner: Noah domain: Wade
PID: 5220 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3232 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3492 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Noah domain: Wade
PID: 6080 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Noah domain: Wade

Startup items:
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: TPHOTKEY
imagepath: C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
Name: LENOVO.TPFNF6R
imagepath: C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
Name: IAAnotif
imagepath: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
Name:
Name: TpShocks
imagepath: TpShocks.exe
Name: RtHDVCpl
imagepath: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
Name: HotKeysCmds
imagepath: C:\Windows\system32\hkcmd.exe
Name: Persistence
imagepath: C:\Windows\system32\igfxpers.exe
Name: PWMTRV
imagepath: rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
Name: Message Center Plus
imagepath: C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
Name: RoxWatchTray
imagepath: "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
Name: AcWin7Hlpr
imagepath: C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe
Name: SynTPEnh
imagepath: %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
Name: UfSeAgnt.exe
imagepath: "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name: iTunesHelper
imagepath: "C:\Program Files\iTunes\iTunesHelper.exe"
Name: IntelliPoint
imagepath: "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
Name: avast5
imagepath: "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
Name: KeyScrambler
imagepath: C:\Program Files\KeyScrambler\keyscrambler.exe /a
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: AcPrfMgrSvc
displayname: AcPrfMgrSvc
Name: AcSvc
displayname: AcSvc
Name: AeLookupSvc
displayname: Application Experience
Name: Appinfo
displayname: Application Information
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: avast! Antivirus
displayname: avast! Antivirus
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: Cryptographic Services
Name: CscService
displayname: Offline Files
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DPS
displayname: Diagnostic Policy Service
Name: EapHost
displayname: Extensible Authentication Protocol
Name: eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: EvtEng
displayname: Intel(R) PROSet/Wireless Event Log
Name: fdPHost
displayname: Function Discovery Provider Host
Name: FontCache3.0.0.0
displayname: Windows Presentation Foundation Font Cache 3.0.0.0
Name: gpsvc
displayname: Group Policy Client
Name: hidserv
displayname: Human Interface Device Access
Name: HotspotShieldService
displayname: Hotspot Shield Service
Name: HssSrv
displayname: Hotspot Shield Routing Service
Name: HssWd
displayname: Hotspot Shield Monitoring Service
Name: IAANTMON
displayname: Intel(R) Matrix Storage Event Monitor
Name: IBMPMSVC
displayname: ThinkPad PM Service
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: iphlpsvc
displayname: IP Helper
Name: iPod Service
displayname: iPod Service
Name: IviRegMgr
displayname: IviRegMgr
Name: KeyIso
displayname: CNG Key Isolation
Name: LanmanServer
displayname: Server
Name: LanmanWorkstation
displayname: Workstation
Name: LENOVO.MICMUTE
displayname: Lenovo Microphone Mute
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MpsSvc
displayname: Windows Firewall
Name: msiserver
displayname: Windows Installer
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: PcaSvc
displayname: Program Compatibility Assistant Service
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: Power
displayname: Power
Name: ProfSvc
displayname: User Profile Service
Name: RegSrvc
displayname: Intel(R) PROSet/Wireless Registry Service
Name: RpcEptMapper
displayname: RPC Endpoint Mapper
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: SeaPort
displayname: SeaPort
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification Service
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: SSDPSRV
displayname: SSDP Discovery
Name: SUService
displayname: System Update
Name: SysMain
displayname: Superfetch
Name: Themes
displayname: Themes
Name: ThinkVantage Registry Monitor Service
displayname: ThinkVantage Registry Monitor Service
Name: TPHKSVC
displayname: On Screen Display
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: wcncsvc
displayname: Windows Connect Now - Config Registrar
Name: WdiServiceHost
displayname: Diagnostic Service Host
Name: WinDefend
displayname: Windows Defender
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: Wlansvc
displayname: WLAN AutoConfig
Name: wlidsvc
displayname: Windows Live ID Sign-in Assistant
Name: WMPNetworkSvc
displayname: Windows Media Player Network Sharing Service
Name: WPDBusEnum
displayname: Portable Device Enumerator Service
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service

Will begin running ComboFix.

P.S could you please tell me if that file that was quarantined was my keylogger? Thanks
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Ok I ran ComboFix as you asked me too.

And this is the log it gave me:

ComboFix 10-11-12.05 - Admin 13/11/2010 16:55:50.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.1913.942 [GMT -5:00]
Running from: c:\users\Noah\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\CFLog
c:\cflog\CrashLog_20101030.txt
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\_desktop.ini
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\BIN\_desktop.ini
c:\users\Adminstrator\AppData\Roaming\Uninstal.exe
c:\users\Noah\AppData\Roaming\.#
c:\users\Noah\AppData\Roaming\.#\MBX@1434@386718.###
c:\users\Noah\AppData\Roaming\.#\MBX@1434@386728.###
c:\users\Noah\AppData\Roaming\.#\MBX@16D4@676718.###
c:\users\Noah\AppData\Roaming\.#\MBX@16D4@676728.###
c:\users\Noah\AppData\Roaming\.#\MBX@1CB0@1596718.###
c:\users\Noah\AppData\Roaming\.#\MBX@1CB0@1596728.###
c:\users\Noah\AppData\Roaming\.#\MBX@26C@1596718.###
c:\users\Noah\AppData\Roaming\.#\MBX@26C@1596728.###
c:\users\Noah\AppData\Roaming\.#\MBX@AEC@3A6718.###
c:\users\Noah\AppData\Roaming\.#\MBX@AEC@3A6728.###
c:\windows\system32\jusched.exe
c:\windows\system32\Thumbs.db
Q:\AUTORUN.INF

.
((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 )))))))))))))))))))))))))))))))
.

2010-11-13 22:08 . 2010-11-13 22:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-13 22:08 . 2010-11-13 22:08 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-11-13 21:36 . 2010-11-13 21:36 -------- d-----w- C:\Device
2010-11-13 21:35 . 2010-11-13 22:08 -------- d-----w- c:\users\Noah\AppData\Local\temp
2010-11-13 21:35 . 2010-11-13 22:05 -------- d-----w- c:\users\Adminstrator\AppData\Local\temp
2010-11-13 19:14 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-13 16:51 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-13 16:51 . 2010-11-13 16:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-13 16:48 . 2010-11-13 16:48 -------- d-----w- c:\users\Adminstrator\AppData\Local\Sunbelt Software
2010-11-13 16:47 . 2010-11-13 16:47 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-13 16:46 . 2010-11-13 16:51 -------- d-----w- c:\programdata\Lavasoft
2010-11-13 16:46 . 2010-11-13 16:46 -------- d-----w- c:\program files\Lavasoft
2010-11-13 16:05 . 2010-11-13 16:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-13 16:05 . 2010-11-13 16:05 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\SUPERAntiSpywaredotcom
2010-11-13 16:04 . 2010-11-13 16:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-11-13 13:59 . 2010-11-13 13:59 -------- d-----w- c:\program files\CCleaner
2010-11-13 05:02 . 2010-11-13 05:03 -------- d-----w- c:\users\Noah\AppData\Local\Windows Live
2010-11-13 05:01 . 2010-11-13 05:02 -------- d-----w- c:\users\Noah\AppData\Local\Windows Live Writer
2010-11-13 05:01 . 2010-11-13 05:01 -------- d-----w- c:\users\Noah\AppData\Roaming\Windows Live Writer
2010-11-13 04:41 . 2010-11-13 04:41 -------- d-----w- c:\windows\en
2010-11-13 04:35 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-11-13 04:35 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-11-13 04:35 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-11-13 04:35 . 2010-11-13 04:35 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\29a79c9b1cb82ec09\InstallManager_WLE_WLE.exe
2010-11-13 04:34 . 2010-11-13 04:34 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\1c19064b1cb82ec07\DSETUP.dll
2010-11-13 04:34 . 2010-11-13 04:34 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\1c19064b1cb82ec07\DXSETUP.exe
2010-11-13 04:34 . 2010-11-13 04:34 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\1c19064b1cb82ec07\dsetup32.dll
2010-11-13 04:34 . 2010-11-13 04:34 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\1aed18e91cb82ec05\DSETUP.dll
2010-11-13 04:34 . 2010-11-13 04:34 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\1aed18e91cb82ec05\DXSETUP.exe
2010-11-13 04:34 . 2010-11-13 04:34 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\1aed18e91cb82ec05\dsetup32.dll
2010-11-13 04:34 . 2010-11-13 04:34 -------- d-----w- c:\users\Adminstrator\AppData\Local\Windows Live
2010-11-13 04:32 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-11-13 04:32 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-11-13 04:32 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-11-13 04:23 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-11-13 04:23 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-11-12 16:19 . 2010-10-18 13:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F56C8BC4-3C50-4B7D-86E3-8EA7F81782EB}\mpengine.dll
2010-11-12 16:02 . 2010-11-12 16:03 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-11-12 16:02 . 2010-11-12 16:02 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-12 16:00 . 2010-11-12 16:03 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-11-12 16:00 . 2010-11-12 16:00 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\DAEMON Tools Lite
2010-11-12 15:54 . 1998-10-29 21:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-11-11 23:32 . 2010-11-13 16:38 -------- d-----w- c:\programdata\SecTaskMan
2010-11-11 23:32 . 2010-11-11 23:32 -------- d-----w- c:\program files\Security Task Manager
2010-11-11 23:23 . 2010-11-11 23:23 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\Google Talk
2010-11-11 23:20 . 2010-11-11 23:20 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\Skype
2010-11-11 04:25 . 2010-11-11 04:25 388096 ----a-r- c:\users\Adminstrator\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-11 04:04 . 2010-11-11 04:04 388096 ----a-r- c:\users\Noah\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-11 00:10 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2010-11-11 00:10 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2010-11-09 03:11 . 2010-11-09 03:11 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-11-09 02:28 . 2010-02-11 15:03 114952 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2010-11-09 02:28 . 2010-11-09 02:30 -------- d-----w- c:\program files\KeyScrambler
2010-11-09 01:51 . 2010-11-09 01:51 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes
2010-11-09 01:48 . 2010-11-09 01:48 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\Malwarebytes
2010-11-09 01:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-09 01:48 . 2010-11-09 01:48 -------- d-----w- c:\programdata\Malwarebytes
2010-11-09 01:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-09 01:48 . 2010-11-09 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-09 01:20 . 2010-11-09 01:20 -------- d-----w- c:\users\Adminstrator\AppData\Local\WindowsUpdate
2010-11-09 00:41 . 2010-11-11 03:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-09 00:41 . 2010-11-09 03:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-09 00:25 . 2010-11-09 00:25 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-11-08 20:43 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-08 20:43 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-08 20:43 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-08 20:43 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-08 20:43 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-08 20:42 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-08 20:42 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-08 20:42 . 2010-11-08 20:42 -------- d-----w- c:\programdata\Alwil Software
2010-11-08 20:42 . 2010-11-08 20:42 -------- d-----w- c:\program files\Alwil Software
2010-11-07 18:18 . 2010-11-07 18:18 -------- d-----w- c:\users\Noah\AppData\Local\Apps
2010-11-07 18:18 . 2010-11-13 21:40 -------- d-----w- c:\users\Noah\AppData\Local\Deployment
2010-11-06 13:56 . 2010-11-06 13:56 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-11-05 23:01 . 2010-11-05 23:01 -------- d-----w- c:\users\Noah\AppData\Local\Blizzard Entertainment
2010-11-04 03:58 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-02 17:55 . 2010-11-02 18:01 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\.minecraft
2010-11-02 15:08 . 2010-11-02 15:08 -------- d-----w- c:\program files\RocketDock
2010-11-01 21:12 . 2010-11-11 18:52 -------- d-----w- c:\program files\Common Files\Steam
2010-11-01 21:12 . 2010-11-13 21:41 -------- d-----w- c:\program files\Steam
2010-11-01 20:30 . 2010-11-01 20:30 -------- d-----w- c:\program files\SystemRequirementsLab
2010-10-29 22:21 . 2010-10-29 22:21 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\Xfire
2010-10-29 22:21 . 2010-10-29 22:21 -------- d-----w- c:\program files\Xfire
2010-10-29 22:21 . 2010-10-29 22:21 -------- d-----w- c:\programdata\Xfire
2010-10-29 21:47 . 2010-10-29 21:47 -------- d-----w- c:\program files\Z8Games
2010-10-29 21:34 . 2010-10-29 21:34 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-10-29 19:32 . 2010-10-29 19:32 -------- d-----w- c:\users\Noah\AppData\Roaming\LolClient
2010-10-29 19:28 . 2010-10-29 19:31 -------- d-----w- C:\Hotspot Shield
2010-10-29 19:28 . 2010-10-29 19:31 -------- d-----w- c:\program files\Hotspot Shield
2010-10-29 19:24 . 2010-10-29 19:24 -------- d-----w- c:\users\Adminstrator\AppData\Roaming\IObit
2010-10-29 19:24 . 2010-10-29 19:24 -------- d-----w- c:\program files\IObit
2010-10-29 13:16 . 2010-10-29 13:16 -------- d-----w- c:\users\Noah\AppData\Roaming\SUPERAntiSpywaredotcom
2010-10-29 13:16 . 2010-10-29 13:16 -------- d-----w- c:\programdata\SUPERAntiSpywaredotcom
2010-10-29 12:41 . 2010-11-05 00:55 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-10-29 12:39 . 2010-10-29 12:39 -------- d-----w- c:\programdata\Blizzard
2010-10-28 20:09 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-10-28 07:02 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-10-28 07:02 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-10-28 07:02 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-28 07:02 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-10-25 23:25 . 2010-10-25 23:25 -------- d-----w- c:\users\Noah\AppData\Roaming\InterVideo
2010-10-25 23:25 . 2010-10-27 02:32 -------- d-----w- c:\programdata\InterVideo
2010-10-25 23:16 . 2010-10-25 23:19 -------- d-----w- c:\users\Noah\AppData\Local\Lenovo
2010-10-25 19:45 . 2010-10-25 19:45 -------- d-----w- c:\users\Noah\AppData\Roaming\SystemRequirementsLab
2010-10-21 23:18 . 2010-10-21 23:18 -------- d-sha-w- c:\users\Public\DRM
2010-10-19 07:02 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2010-10-19 07:02 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 05:47 . 2010-09-23 05:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-23 05:32 . 2010-09-23 05:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-09-22 19:19 . 2010-09-22 19:19 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-09-21 19:03 . 2010-09-21 19:03 208768 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-09-01 05:39 . 2010-09-01 05:39 89872 ------w- c:\windows\system32\drivers\tmtdi.sys
2010-09-01 05:39 . 2010-09-01 05:39 283152 ------w- c:\windows\system32\drivers\tmwfp.sys
2010-09-01 05:39 . 2010-09-01 05:39 146448 ------w- c:\windows\system32\drivers\tmlwf.sys
2010-08-29 03:32 . 2010-08-29 03:32 109088 ----a-w- c:\windows\system32\KeyScramblerLogon.dll
2010-08-21 05:32 . 2010-09-17 07:02 316928 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-02-25 8522272]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 151064]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-03-02 886120]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-14 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2010-08-29 432672]

c:\users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-11-7 0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft dotNET Framework NGEN v4.0.30319_X86;c:\windows\MicrosoftdotNET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-11-13 1375992]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
R3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-03-02 75112]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-19 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2010-09-01 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2010-09-01 689416]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-02 1343400]
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva372;XDva372;c:\windows\system32\XDva372.sys [x]
R3 XDva374;XDva374;c:\windows\system32\XDva374.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-08-18 237632]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-12 691696]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 aswSP;aswSP; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2010-09-01 146448]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2010-07-30 36432]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2010-09-01 283152]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2010-07-01 44432]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-27 233472]

.
Contents of the 'Scheduled Tasks' folder

2010-11-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 16:50]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4291226254-662787883-914340902-1001Core.job
- c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-01 22:45]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4291226254-662787883-914340902-1001UA.job
- c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-01 22:45]

2010-11-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]

2010-11-12 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-01-28 17:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovodotmsndotcom
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: {D6C55955-4A19-4E48-A3B7-3E2B4036BF04} = 10.72.96.1
FF - ProfilePath - c:\users\Adminstrator\AppData\Roaming\Mozilla\Firefox\Profiles\tr6j46zm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://searchdotconduitdotcom/ResultsEx ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://searchdotconduitdotcom/?ctid=CT2 ... hSource=13
FF - prefs.js: keyword.URL - hxxp://searchdotconduitdotcom/ResultsEx ... 2304157&q=
FF - component: c:\users\Adminstrator\AppData\Roaming\Mozilla\Firefox\Profiles\tr6j46zm.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\users\Adminstrator\AppData\Roaming\Mozilla\Firefox\Profiles\tr6j46zm.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\users\Adminstrator\AppData\Roaming\Mozilla\Firefox\Profiles\tr6j46zm.default\extensions\DTToolbar@toolbarnetdotcom\components\DTToolbarFF.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Minecraft Alpha 1.2.0_02 - c:\users\Adminstrator\AppData\Roaming\Uninstal.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{C4B36920-79E24793-06000000}_0]
"ImagePath"="\??\c:\progra~1\pc-doc~1\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4291226254-662787883-914340902-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9707ED9-80D0-B1DA-ABA8-282254DF9729}*]
"jakihpmpkijoaobjjcga"=hex:66,61,70,6f,61,64,66,6c,67,66,67,63,00,fe
"pacoimobnnlfgooefhkmnckgdcikonep"=hex:65,61,70,6f,62,64,65,6c,69,68,00,63
"hakihpmpkijoaobj"=hex:6e,62,70,6f,6b,64,61,6f,6d,6e,63,63,6d,69,61,68,6f,65,
70,6d,6b,6e,67,61,6d,6f,6a,6d,61,65,65,66,6c,65,64,6d,6f,6b,6f,62,62,62,69,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2224)
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll
c:\program files\Lenovo\Access Connections\ACDeskBand.dll
c:\program files\Lenovo\Access Connections\AcLocSettings.dll
c:\program files\Lenovo\Access Connections\AcCryptHlpr.dll
c:\program files\Lenovo\Access Connections\ACHelper.dll
c:\program files\Lenovo\Access Connections\AcSvcStub.dll
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2010-11-13 17:10:26
ComboFix-quarantined-files.txt 2010-11-13 22:10

Pre-Run: 94,634,274,816 bytes free
Post-Run: 94,533,861,376 bytes free

- - End Of File - - 57E1BF72BFCE740FDD9BACD35046E293


P.S: Though I find it suspicious csrss.exe is nameless and has no user but when I click all users it shows two csrss.exe with the appropriate information.

Thanks sorry for giving so many logs.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Microsoft.VC80.CRT is a C++ programming runtime library. It's needed by the WoW program and it's fine.

So that you are clear, the authenticator doesn't block keyloggers. It's just that the random code works once and it's not going to be able to be used again even if it is logged by a keylogger. Because it changes every time you login, it makes it about 100% impossible for anyone else to log into your account unless they have your authenticator in their hand.

In Windows 7 there are two csrss.exe files and the ones you have are fine.

On your combofix log, I see viruses such as
Quote:
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva372;XDva372;c:\windows\system32\XDva372.sys [x]
R3 XDva374;XDva374;c:\windows\system32\XDva374.sys [x]


I'll assume combofix removed them.

I'm curious what addons you are running. An exact list could be helpful.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Are you sure ComboFix removed them? Also could you tell me if the virus AdAware found was my keylogger?
The addons are:
So I've got many folders, heres the folders as they appear.

!Swatter, Atlasloot, Atlasloot_Burning Crusade, Atlasloot_Crafting, Atlasloot_OriginalWoW, Atlasloot_WorldEvents, Atlasloot_WrathoftheLichKing, Atlasloot_Fu, Auc-Advanced, Auc-Filter-Basic, a few more Auc Folders, then I have Blizzard Folders example Blizzard_AchievementUI, installed Auctioneer, have Curse Profiler, DBM (Deadly Boss Mods), Gatherer, Omen, Recount, Gearscore, XPerl. Then there were some which I didn't know went with what so I'm posting them all.

Stubby, SlideBar, Informant, Enchantrix, Enchantrix-Barker, BonusScanner.
Seems about it.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Regarding combo fix, yes it removed them as indicated by the [x] at the end of the line.

As far as your addons they all look pretty normal. In fact I use all of them except for XPerl, which from what I understand isn't being supported very well for updates. The ones you weren't sure about are mostly associated with Auctioneer.

On the combofix log, the majority of the nasties are listed under the Find3M Report, one of which was KeyScramblerLogon.dll which is spyware and most likely your keylogger.

Can I take a guess that you haven't had any more problems with your account being hacked again since you ran those scans? If you can go a couple days without getting hacked again, I'd say you're probably fixed, but if I were you I'd get an authenticator as quickly as you can.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Thanks I'll see if I get hacked again, thanks for all the help and I'll repost after a few days to say wether or not I've been hacked again.

Wait Keyscrambler is still active should I uninstall it?

Also I'd like to know whether the Viruses under Find3M were deleted or not? And whether I should delete them, if so please help me delete them.

Ok I have a problem I tried uninstalling Keyscrambler, and a popup saying Au.exe wants permission to be allowed , I clicked denied and checked online, I have not installedd Ace Utilities.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

You don't want to run Au.exe. It's an internet mailing worm.
http://www.srnmicro.com/procinfo/au.htm

Not certain what to tell you about Keyscrambler. I'm seeing conflicting information about what it even is.

I think what I would do is run the majority of all the scans you've tried so far in safe mode.

As far as seeing what files were deleted, ComboFix actually quarantines them. You can find a log of the quarantined files in C:\Qoobox\ComboFix-quarantined-files.txt
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Well after a few days of playing I was unfortunately hacked again what do you suggest I do?
  • SB
  • Moderator
  • Genius
  • User avatar
  • Posts: 8742
  • Loc: Aberdeen, Scotland

Post 3+ Months Ago

Have you looked into getting the authenticator? it should stop the hacking, however the keylogger may still be there (that's assuming there is one).
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Also wondering if logging in from different Ip Addresses will lock my account? I was playing at my mom's house from Sunday to Tuesday night and then Wednesday morning (Today) I logged in to find that my account had been compromised is this because of the different Ip Addresses?
  • SB
  • Moderator
  • Genius
  • User avatar
  • Posts: 8742
  • Loc: Aberdeen, Scotland

Post 3+ Months Ago

Have you done all the aforementioned scanning on both your mums computer and your own computer?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

VirusOwnedMe wrote:
Also wondering if logging in from different Ip Addresses will lock my account? I was playing at my mom's house from Sunday to Tuesday night and then Wednesday morning (Today) I logged in to find that my account had been compromised is this because of the different Ip Addresses?


The IP address won't make a difference. I play from different IP's every day with no issues.
You'll have to forgive me, but I've given you every bit of information needed to resolve the account hack. If you don't want to get the authenticator, you're going to continue to get hacked and I have no further assistance to offer to this thread. Sorry, if you don't have a credit card to get it with. Get your mom or dad to get it for you.
  • VirusOwnedMe
  • Novice
  • Novice
  • VirusOwnedMe
  • Posts: 16

Post 3+ Months Ago

Before I scan my computer I was wondering if I could scan multiple scanners at the same time?

Also should I do the scans while I have WoW open at the login screen?
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

Change your password.
Change your secret question.
Change your email password.
Change your emails secret question.

Anything and everything that can be used to gain access to your WoW accounts password change.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 32 posts
  • Users browsing this forum: No registered users and 73 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.