Sorry about the previous thread. RE: Hacked twice..

[whateverwhateve]

Hello again. i apologize for the previous post. Please have a look now, your help is really appreciated.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Ybies at 16:35:23.20 on Sat 19/09/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.65.1033.18.3070.1736 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\CompPtcVUI.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\BR040286.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Users\Ybies\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
D:\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
D:\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ybies\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.sg/
mStart Page = hxxp://en.sg.acer.yahoo.com
mDefault_Page_URL = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ZPdtWzdVitaKey MC3000] "c:\program files\acer\bio-protection fingerprint solution\PdtWzd.exe" show
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - d:\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\bio-protection fingerprint solution\WinNotify.dll
AppInit_DLLs: avgrsstx.dll
LSA: Notification Packages = scecli c:\program files\acer\bio-protection fingerprint solution\PwdFilter

================= FIREFOX ===================

FF - ProfilePath - c:\users\ybies\appdata\roaming\mozilla\firefox\profiles\89dqn926.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-3 231192]
R2 SBSDWSCService;SBSD Security Center Service;d:\spybot - search & destroy\SDWinSec.exe [2009-9-2 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-23 180736]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2008-10-16 9344]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-3-11 28464]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-09-19 16:08 396,288 a------- C:\HijackThis.exe
2009-09-19 16:07 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 02:04 292,514,495 a------- c:\windows\MEMORY.DMP
2009-09-06 04:46 <DIR> --d----- c:\users\ybies\appdata\roaming\Uniblue
2009-09-02 21:55 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-02 21:55 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-30 23:48 <DIR> --d----- c:\programdata\Blizzard Entertainment
2009-08-30 23:48 <DIR> --d----- c:\progra~2\Blizzard Entertainment

==================== Find3M ====================

2009-03-05 17:37 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-05 17:37 86,016 a------- c:\windows\inf\infstor.dat
2009-03-05 17:37 51,200 a------- c:\windows\inf\infpub.dat
2008-06-22 22:18 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 10:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:36:38.54 ===============

Because i was unable to edit my post after the 30 minutes limit, im posting a reply on the background story.

I was hacked once before. My WoW account password and the email(gmail) for the account was changed. This meant that i would be unable to retrieve my password. I managed to get it back after reporting this to the admins and got my password sent to my hotmail.

Now the second time, i changed the email for WoW to my hotmail account. as a result, i lost my hotmail, gmail, wow account passwords. Fortunately i was able to get my gmail back through the secret questions which i remembered. For hotmail, my MSN contacts, its gone. Please tell me what is going on with my laptop...

[Ried]

Hello whateverwhateve,

I'm not seeing anything in your logs. Let's see if an online scan reveals anything for us. Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[whateverwhateve]

Hello reid, your reply was truly a relief! Thank you so much.
Here are the logs.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, September 20, 2009
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 20, 2009 09:28:59
Records in database: 2863432
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 127644
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:32:03

No threats found. Scanned area is clean.

Selected area has been scanned.


Nothing seems to be showing... Sigh.

[Ried]

Let's take a look with another tool. Download rsit.exe and save it to your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

I only need for you to post the log.txt

[whateverwhateve]

Okay this is the log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Ybies at 2009-09-20 22:01:03
Microsoft® Windows Vista™ Business Service Pack 1
System drive C: has 10 GB (9%) free of 114 GB
Total RAM: 3070 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:19 PM, on 20/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\BR040286.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Users\Ybies\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdBank.exe
C:\Program Files\Funshion Online\Funshion\Funshion.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ybies\Desktop\RSIT.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\FPLaunch.exe
C:\Program Files\Acer\Bio-Protection fingerprint solution\ATSwpNav.exe
D:\Trendmirco\Ybies.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ZPdtWzdVitaKey MC3000] "C:\Program Files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe" show
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Program Files\Acer\Bio-Protection fingerprint solution\WinNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7873 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-16 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-01-03 155184]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2009-04-04 429816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-08 4853760]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-08 102400]
"BisonInst0402"=C:\Windows\BR040286.exe [2007-05-09 53248]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-11 90112]
"ZPdtWzdVitaKey MC3000"=C:\Program Files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe [2008-03-11 3801088]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2008-01-08 858632]
"eRecoveryService"= []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-08-16 1232152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Pidgin"=C:\Program Files\Pidgin\pidgin.exe [2009-01-13 45603]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-03-08 40048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe [2008-02-20 963072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-01-03 521776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Funshion]
C:\Program Files\Funshion Online\Funshion\Funshion.exe [2008-08-22 2695168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-10-12 62760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2008-01-23 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
C:\Program Files\uTorrent\uTorrent.exe [2008-08-25 267056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2009-04-04 3558648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe [2007-08-29 739880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
C:\Acer\EMPOWE~1\EAPLAU~1.EXE [2007-04-15 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Ybies^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2008-07-28 575488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AWinNotifyVitaKey MC3000]
C:\Program Files\Acer\Bio-Protection fingerprint solution\WinNotify.dll [2008-03-11 2790912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\Program Files\Acer\Bio-Protection fingerprint solution\PwdFilter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24820f97-8249-11de-a7af-000000000000}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24820faa-8249-11de-a7af-000000000000}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cvlu.exe
shell\Explore\command - cvlu.exe
shell\Open\command - cvlu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24820fb9-8249-11de-a7af-000000000000}]
shell\AutoRun\command - h3.bat
shell\explore\command - h3.bat
shell\open\command - h3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{318cd58d-cd30-11dd-9783-000000000000}]
shell\AutoRun\command - wscript.exe .vbs
shell\open\command - wscript.exe .vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{377f0b61-8452-11da-998b-000000000000}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b527c6d-81a0-11de-9042-000000000000}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cvlu.exe
shell\Explore\command - cvlu.exe
shell\Open\command - cvlu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7efd67ae-2a13-11dd-9d1f-000000000000}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Boot.exe e


======List of files/folders created in the last 1 months======

2009-09-20 22:01:03 ----D---- C:\rsit
2009-09-20 16:23:05 ----D---- C:\Windows\Sun
2009-09-19 19:50:31 ----A---- C:\Windows\system32\tzres.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\wdigest.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\secur32.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\schannel.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\msv1_0.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\lsass.exe
2009-09-19 19:41:12 ----A---- C:\Windows\system32\lsasrv.dll
2009-09-19 19:41:12 ----A---- C:\Windows\system32\kerberos.dll
2009-09-19 18:12:33 ----D---- C:\Program Files\Panda Security
2009-09-19 16:08:16 ----A---- C:\HijackThis.exe
2009-09-19 16:07:49 ----D---- C:\Program Files\Trend Micro
2009-09-09 01:43:49 ----A---- C:\Windows\system32\TCPSVCS.EXE
2009-09-09 01:43:49 ----A---- C:\Windows\system32\ROUTE.EXE
2009-09-09 01:43:49 ----A---- C:\Windows\system32\NETSTAT.EXE
2009-09-09 01:43:49 ----A---- C:\Windows\system32\netiohlp.dll
2009-09-09 01:43:49 ----A---- C:\Windows\system32\netevent.dll
2009-09-09 01:43:49 ----A---- C:\Windows\system32\MRINFO.EXE
2009-09-09 01:43:49 ----A---- C:\Windows\system32\HOSTNAME.EXE
2009-09-09 01:43:49 ----A---- C:\Windows\system32\finger.exe
2009-09-09 01:43:49 ----A---- C:\Windows\system32\ARP.EXE
2009-09-09 01:43:34 ----A---- C:\Windows\system32\wlansvc.dll
2009-09-09 01:43:34 ----A---- C:\Windows\system32\wlansec.dll
2009-09-09 01:43:34 ----A---- C:\Windows\system32\wlanmsm.dll
2009-09-09 01:43:34 ----A---- C:\Windows\system32\L2SecHC.dll
2009-09-09 01:43:28 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-09-09 01:43:28 ----A---- C:\Windows\system32\mf.dll
2009-09-09 01:43:26 ----A---- C:\Windows\system32\jscript.dll
2009-09-06 04:46:55 ----D---- C:\Users\Ybies\AppData\Roaming\Uniblue
2009-09-02 21:55:57 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-08-30 23:48:14 ----D---- C:\ProgramData\Blizzard Entertainment

======List of files/folders modified in the last 1 months======

2009-09-20 22:01:19 ----D---- C:\Windows\Temp
2009-09-20 21:57:39 ----D---- C:\Users\Ybies\AppData\Roaming\.purple
2009-09-20 18:49:52 ----A---- C:\Windows\funshionplugin2.INI
2009-09-20 18:39:56 ----SHD---- C:\System Volume Information
2009-09-20 16:28:15 ----D---- C:\Windows\System32
2009-09-20 16:28:15 ----D---- C:\Windows\inf
2009-09-20 16:28:15 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-20 16:23:05 ----D---- C:\Windows
2009-09-20 16:22:52 ----D---- C:\Program Files\Mozilla Firefox
2009-09-19 20:40:40 ----D---- C:\Windows\rescache
2009-09-19 20:24:45 ----D---- C:\Windows\Microsoft.NET
2009-09-19 20:16:47 ----D---- C:\Windows\system32\en-US
2009-09-19 20:16:46 ----D---- C:\Windows\system32\drivers
2009-09-19 20:16:43 ----D---- C:\Windows\system32\wbem
2009-09-19 20:16:42 ----D---- C:\Windows\system32\manifeststore
2009-09-19 20:16:41 ----D---- C:\Windows\AppPatch
2009-09-19 20:16:41 ----D---- C:\Program Files\Internet Explorer
2009-09-19 20:16:39 ----D---- C:\Program Files\Windows Media Player
2009-09-19 19:51:00 ----D---- C:\Windows\winsxs
2009-09-19 19:50:54 ----D---- C:\Windows\system32\catroot
2009-09-19 19:46:39 ----SHD---- C:\Windows\Installer
2009-09-19 19:43:51 ----RSD---- C:\Windows\assembly
2009-09-19 19:40:57 ----D---- C:\Windows\system32\catroot2
2009-09-19 18:12:33 ----RD---- C:\Program Files
2009-09-19 16:07:51 ----D---- C:\Windows\Prefetch
2009-09-16 01:56:19 ----D---- C:\Program Files\World of Warcraft
2009-09-13 15:30:41 ----D---- C:\Windows\Minidump
2009-09-06 04:55:27 ----D---- C:\Windows\system32\config
2009-09-06 03:20:36 ----D---- C:\Program Files\Warcraft III with cracks
2009-09-06 02:19:25 ----D---- C:\Program Files\Garena
2009-09-02 21:55:57 ----HD---- C:\ProgramData
2009-08-28 14:38:22 ----A---- C:\Windows\system32\mrt.exe
2009-08-21 05:01:51 ----D---- C:\Users\Ybies\AppData\Roaming\U3

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2008-08-16 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2008-08-16 26824]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-21 350720]
R2 Int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2007-12-01 15392]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-21 95744]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-20 12672]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-01-03 16432]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-01-03 59952]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-29 8192]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-10-04 3155456]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\Windows\system32\DRIVERS\ATSwpDrv.sys [2007-08-29 146560]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-23 180736]
R3 Cam5607;Acer Crystal Eye webcam; C:\Windows\System32\Drivers\BisonC07.sys [2007-10-30 829096]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-03 21264]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2008-05-16 25280]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-12-23 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-12-23 207360]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-09 2044896]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\Windows\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-11-01 2252800]
R3 NSCIRDA;NSC Infrared Device Driver; C:\Windows\system32\DRIVERS\nscirda.sys [2008-01-21 30720]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-02-20 6144]
R3 Salmosa03;Razer Salmosa USB Filter Driver; C:\Windows\System32\Drivers\Salmosa.sys [2008-03-20 9344]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-09-08 192816]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2007-05-02 290816]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-21 73088]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-12-23 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]
S2 npkcrypt;npkcrypt; \??\C:\Nexon\MapleStory\npkcrypt.sys []
S3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-21 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-21 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
S3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2007-08-30 81448]
S3 btwavdt;Bluetooth AVDT Service; C:\Windows\system32\drivers\btwavdt.sys [2007-08-30 99880]
S3 btwl2cap;Bluetooth L2CAP Service; C:\Windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464]
S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-08-30 17448]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 GarenaPEngine;GarenaPEngine; \??\C:\Users\Ybies\AppData\Local\Temp\LIJ4F96.tmp []
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-21 2225664]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-21 49664]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-08-16 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-10-04 610304]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-16 231192]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-21 21504]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-01-03 506416]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-10-02 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-12-21 131072]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-09-11 57344]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-12-20 24576]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-18 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2007-11-28 110592]
R2 SBSDWSCService;SBSD Security Center Service; D:\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-09-21 167936]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-11-29 386560]
S2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 AresChatServer;Ares Chatroom server; C:\Program Files\Ares\chatServer.exe [2007-03-20 263168]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-21 523776]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 npggsvc;nProtect GameGuard Service; C:\Windows\system32\GameMon.des [2009-04-15 2767901]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-21 21504]
S3 usprserv;User Privilege Service; C:\Windows\System32\svchost.exe [2008-01-21 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-21 917504]

-----------------EOF-----------------

[Ried]

There it is - in your mountpoints.

It may require more than one run to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.


Download Combofix from any of the links below, and save it to your desktop.


Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for further review.

[whateverwhateve]

Finally! :D
What is it?
Thanks for your time i'm working on it ATM.

ComboFix 09-09-18.02 - Ybies 20/09/2009 22:26.1.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.65.1033.18.3070.1205 [GMT 8:00]
Running from: c:\users\Ybies\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-4257081284-2370526249-4090303834-500

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 14:31 . 2009-09-20 14:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-20 14:01 . 2009-09-20 14:01 -------- d-----w- C:\rsit
2009-09-20 08:23 . 2009-09-20 08:23 -------- d-----w- c:\windows\Sun
2009-09-19 11:50 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-19 11:41 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-09-19 11:41 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-09-19 11:41 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-09-19 11:41 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-09-19 11:41 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-09-19 11:41 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-19 11:41 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-09-19 11:41 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-09-19 10:12 . 2008-06-19 09:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-19 10:12 . 2009-09-19 10:12 -------- d-----w- c:\program files\Panda Security
2009-09-19 08:08 . 2009-09-19 08:08 396288 ----a-w- C:\HijackThis.exe
2009-09-19 08:07 . 2009-09-19 08:07 -------- d-----w- c:\program files\Trend Micro
2009-09-05 20:46 . 2009-09-05 20:46 -------- d-----w- c:\users\Ybies\AppData\Roaming\Uniblue
2009-09-02 13:55 . 2009-09-19 09:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-30 15:48 . 2009-08-30 15:48 -------- d-----w- c:\programdata\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 14:32 . 2008-03-11 09:11 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-20 13:57 . 2009-01-19 15:37 -------- d-----w- c:\users\Ybies\AppData\Roaming\.purple
2009-09-15 17:56 . 2008-05-03 05:59 -------- d-----w- c:\program files\World of Warcraft
2009-09-05 19:20 . 2008-05-16 10:39 -------- d-----w- c:\program files\Warcraft III with cracks
2009-09-05 18:19 . 2008-08-22 17:35 -------- d-----w- c:\program files\Garena
2009-08-20 21:01 . 2006-01-11 01:25 -------- d-----w- c:\users\Ybies\AppData\Roaming\U3
2009-08-16 18:17 . 2009-01-19 15:42 -------- d-----w- c:\users\Ybies\AppData\Roaming\gtk-2.0
2009-08-14 17:07 . 2009-09-08 17:43 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 17:07 . 2009-04-07 17:32 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys.do
2009-08-14 16:29 . 2009-09-08 17:43 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29 . 2009-09-08 17:43 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 14:16 . 2009-09-08 17:43 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-08 17:43 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-08 17:43 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-08 17:43 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-08 17:43 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-08 17:43 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-08 17:43 10240 ----a-w- c:\windows\system32\finger.exe
2009-07-24 17:07 . 2008-05-28 14:53 -------- d-----w- c:\users\Ybies\AppData\Roaming\Ventrilo
2009-07-18 16:06 . 2009-07-29 15:39 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 15:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 15:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 16:20 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 16:08 . 2009-07-15 16:08 2141 ----a-w- c:\users\Ybies\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-14 13:00 . 2009-08-12 16:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 16:00 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 16:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 16:00 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-08 17:43 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-08 17:43 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-08 17:43 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-08 17:43 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-07-10 18:58 . 2009-07-10 18:58 2095 ----a-w- c:\users\Ybies\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2009-01-12 45603]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"BisonInst0402"="c:\windows\BR040286.exe" [2007-05-09 53248]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Bio-Protection fingerprint solution\PdtWzd.exe" [2008-03-11 3801088]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-08-16 1232152]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-08 4853760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-03-11 09:22 2790912 ----a-w- c:\program files\Acer\Bio-Protection fingerprint solution\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Ybies^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Ybies\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ares"="c:\program files\Ares\Ares.exe" -h

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9C60D71B-F321-486D-A3AB-F9F5B890801B}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{A192D7C7-4EF0-4123-8F12-427B8AEB6CC4}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{B9314DA2-5C5C-4649-B1AC-8B0188960EB3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{BF1C1289-49F5-4DE5-A03B-F07BFB764302}c:\\program files\\warcraft iii\\yawle.exe"= UDP:c:\program files\warcraft iii\yawle.exe:yawle
"UDP Query User{CEAC0276-1542-4D9F-9849-6B9F645BACB2}c:\\program files\\warcraft iii\\yawle.exe"= TCP:c:\program files\warcraft iii\yawle.exe:yawle
"TCP Query User{E70697C4-C495-4DB6-B5CB-7D719D9DD4DD}c:\\users\\ybies\\desktop\\warcraft iii with cracks\\war3.exe"= UDP:c:\users\ybies\desktop\warcraft iii with cracks\war3.exe:war3.exe
"UDP Query User{611D3467-2562-454B-BD31-4BABAC7EF4BA}c:\\users\\ybies\\desktop\\warcraft iii with cracks\\war3.exe"= TCP:c:\users\ybies\desktop\warcraft iii with cracks\war3.exe:war3.exe
"{505CAD99-1315-4B58-BDBB-9048E36E1853}"= UDP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{1509ACAE-DA70-4499-B5C5-FFED37F9867B}"= TCP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{8C7EA621-08DC-4966-A7D0-A937F5B0D1BC}"= UDP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{56D5D95F-BF67-4601-BCAC-ED94286C9FBE}"= TCP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"TCP Query User{645786EC-C458-4B58-B699-943E7592A1DE}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{74D86348-BCEF-4BB8-AC78-180ECA8C38CB}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{6710A4FF-7E25-4784-BBA6-A2284FC9B201}c:\\users\\ybies\\documents\\lancraft.exe"= UDP:c:\users\ybies\documents\lancraft.exe:lancraft.exe
"UDP Query User{3D790800-950A-487B-A8B3-9B2AC7F91D90}c:\\users\\ybies\\documents\\lancraft.exe"= TCP:c:\users\ybies\documents\lancraft.exe:lancraft.exe
"TCP Query User{D3CA5AB4-5095-40A5-A5C5-995468B645D0}c:\\program files\\warcraft iii with cracks\\war3.exe"= UDP:c:\program files\warcraft iii with cracks\war3.exe:Warcraft III
"UDP Query User{E5C7E87F-00FE-435A-A9B7-CC309D1A0BF4}c:\\program files\\warcraft iii with cracks\\war3.exe"= TCP:c:\program files\warcraft iii with cracks\war3.exe:Warcraft III
"TCP Query User{15B02DC1-F759-4471-A5E9-381B7D61ECAD}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{505228A4-1151-4C94-843D-F34F180C9CD5}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"{B313D64C-CCAC-4D8B-B5FD-4E8C8C34BC3E}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{E390F6C7-72F7-43F9-8557-06788B17E217}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{7C0334A1-2776-4B48-9B06-C89EF307B7C8}c:\\users\\ybies\\desktop\\left 4 dead\\left4dead.exe"= UDP:c:\users\ybies\desktop\left 4 dead\left4dead.exe:left4dead.exe
"UDP Query User{143AF061-C842-4014-BC2A-996F05B72414}c:\\users\\ybies\\desktop\\left 4 dead\\left4dead.exe"= TCP:c:\users\ybies\desktop\left 4 dead\left4dead.exe:left4dead.exe
"TCP Query User{87932C0B-9E64-49C6-AA0A-AADA22ED4A32}c:\\program files\\left 4 dead\\left4dead.exe"= UDP:c:\program files\left 4 dead\left4dead.exe:left4dead
"UDP Query User{1150007D-7226-41ED-8B88-1C3DB791D15E}c:\\program files\\left 4 dead\\left4dead.exe"= TCP:c:\program files\left 4 dead\left4dead.exe:left4dead
"TCP Query User{7D738685-650A-46A1-BED4-5C9465096244}c:\\program files\\miranda im\\miranda32.exe"= UDP:c:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{A739D5D5-D382-4F5B-B376-635F959EFED1}c:\\program files\\miranda im\\miranda32.exe"= TCP:c:\program files\miranda im\miranda32.exe:Miranda IM
"TCP Query User{B4E7D969-799E-4DEC-BEB2-15C55A5DD575}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{1130FC3A-2C77-41BC-956D-286ED3E40A69}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{42366512-6496-4866-9EF9-3B0BD748AF41}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6B4276BA-3B27-48EA-8D54-15ADAC4136D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5E6F668D-9800-4B20-9F49-DED98C5682B4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{BABB817B-51CE-4131-B73D-0F26582068F1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{14DCC413-BD31-4F0C-9D63-4D7144C2CE11}c:\\program files\\funshion online\\funshion\\funshion.exe"= UDP:c:\program files\funshion online\funshion\funshion.exe:Funshion
"UDP Query User{2970FD73-B463-4AEF-8B23-CC811B4DBF16}c:\\program files\\funshion online\\funshion\\funshion.exe"= TCP:c:\program files\funshion online\funshion\funshion.exe:Funshion
"TCP Query User{1227037D-84AC-4FEF-A959-5A1015945730}c:\\program files\\world of warcraft\\launcher.exe"= UDP:c:\program files\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{B1D34B76-9E17-4996-9F29-C4888DEA6AFD}c:\\program files\\world of warcraft\\launcher.exe"= TCP:c:\program files\world of warcraft\launcher.exe:Blizzard Launcher
"{CF5D419C-B82D-4672-9B7D-EA4301CE4278}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{03576691-B701-4AA2-8BFB-D3D0920DDDFE}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"TCP Query User{9E615EDE-C88E-4F14-A856-673EC2BC765E}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= UDP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"UDP Query User{D32DD76A-8503-4A98-9108-8FAF0713D0BE}c:\\program files\\softnyx\\gunboundwc\\gunbound.gme"= TCP:c:\program files\softnyx\gunboundwc\gunbound.gme:GunBound
"{DFC81AD0-921F-438F-A8F6-B20D34939902}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:Blizzard Downloader
"{C1A8E137-3369-4FA0-AAA9-37FE0905D15D}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:Blizzard Downloader
"{68DD981A-5957-4BCE-B833-264080314BA7}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:Blizzard Downloader
"{43576375-0F97-4289-AF95-47CC1382E67B}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:Blizzard Downloader

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [19/9/2009 6:12 PM 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [3/5/2008 2:30 PM 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/5/2008 2:30 PM 231192]
R2 SBSDWSCService;SBSD Security Center Service;d:\spybot - search & destroy\SDWinSec.exe [2/9/2009 9:55 PM 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [23/7/2007 7:00 AM 180736]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\System32\drivers\Salmosa.sys [16/10/2008 11:19 PM 9344]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [11/3/2008 5:17 PM 28464]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sg/
mStart Page = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Ybies\AppData\Roaming\Mozilla\Firefox\Profiles\89dqn926.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/firefox
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 22:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\Ybies\AppData\Local\Temp\LIJ4F96.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3024)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Acer\Bio-Protection fingerprint solution\CompPtcVUI.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-09-20 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 14:39

Pre-Run: 10,334,543,872 bytes free
Post-Run: 10,198,654,976 bytes free

250 --- E O F --- 2009-09-19 11:51

[Ried]

Sorry for the delay. I had seen your first reply, but we do not get notifications when posts are edited.


See this link for info about one of the files that made it's way to your system. The rest of the malware files are of the same family.

As a side note, this is likely one of the sources of this infection - C:\Program Files\Warcraft III with cracks. If you install the cracked software, you are running executable files from these possibly dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

The files were no longer on your system, just the mountpoint registry keys. What is typically the F: drive? Is that your usb stick or did you use someone else's.

[whateverwhateve]

No problem as long as you do reply

Uh for the warcraft, i'm sure its functionally properly, it should be just the folder name itself. its been with me for about a year and nothing has happened.

So just to be sure, are these the reasons why i recently got hacked twice in a month, after going back to play WoW?

Um, i think the F drive is a virtual drive so i can mount cd imgs.

[Ried]

It sure is.

Quote:

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 9.093 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 97.379 GiB free.
E: is CDROM ()
F: is CDROM ()

That drive would have been scanned by ComboFix as well, so no worries. As far as how someone is gaining access, it could be from characters or equipment you've been 'given' for 'free', or purchased from someone else. There are many ways to hack someone with WOW.

There's not much more we can do from this end.

[whateverwhateve]

Erm i do not purchase anything for WoW except installation discs, game cards and expansion sets. i play with my friends so we kinda like work together for everything.

The thing is..
For the first time i got hacked, I had registered my Gmail account for WoW.
My WoW account password was changed, and also, the email for the account. Meaning, i wouldn't be able to retrieve my password via Gmail. I am also certain that the hacker had gained access to my Gmail as i noticed it was signed in from another IP address that wasn't mine.

I got back my WoW account password by getting the Admins attention and getting the newly generated password sent to my Hotmail. Thus, i now registered my Hotmail account for WoW. Thinking that it was safe...

Second time, Hotmail, Gmail, WoW passwords changed. Managed to get Gmail back through secret questions, but the rest are gone.

Anything else i should do Reid?

[Ried]

I'm just giving you the most common ways WOW accounts are hacked. How is happened to you where someone got a hold of your gmail info would be near impossible to figure out.

I see you have uTorrent and ares, so it also could have entered your system via P2P file sharing. Please take the time to educate yourself and anyone else using this PC about the Perils of P2P File Sharing.

Let's hope that now the mountpoints have been removed, this will be the last of it.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.

[whateverwhateve]

Erm, my Combofix disappeared. i think AVG removed it even though i have already disabled the resident shield.

What do i do now?

[Ried]

Download a fresh copy from here, then execute the command.

[whateverwhateve]

Quote:

Originally Posted by Ried

I'm just giving you the most common ways WOW accounts are hacked. How is happened to you where someone got a hold of your gmail info would be near impossible to figure out.

Sorry just for my knowledge, is this possible through keyloggers? Cause i have lost multiple passwords?

Thank you, Combofix has been uninstalled.

[Ried]

Sure, keyloggers would eventually figure out passwords to accounts. Did you have notification from your onboard tools of the presence of one?

[whateverwhateve]

Nope... But i fear the worst.

I'm really sorry if i seem to doubt your skill, please do not think that way. Just wondering if my laptop is really really clean ATM!

Really don't wish for a third time.

Am currently installing spyware blaster and using Secuinas online scan.

Thank you, Reid and Amateur for your patience and guidance!

[Ried]

I can assure you that your logs are clean, but I cannot guarantee that your laptop is clean. We cannot give that gurarantee to anyone, ever. We've run various scanners that look in different areas of your computer and we can only remove what we see. If it were me, if my account gets hacked again, I'd reformat and reinstall the OS and download fresh WOW programs - without the cracks, and any other gaming programs.

[whateverwhateve]

Oh i see, i had no idea what i was doing at all. Do you have any other scanners to recommend?

Also, i'm not sure if this is off-topic but, my AVG can't seem to update. It just says update manager component is running.

Windows still states that AVG is not up-to-date...

[Ried]

It could be the time of day and AVG servers are too busy. I would recommend uninstalling AVG and using Avast free AV. Download the installer, then uninstall AVG via the Programs and features panel. Reboot. Then install Avast.