[ellister]

I logged into my wow acct (no laughing ) and my acct has been looted and all gear sold.

But ok thats just virtual gear, but wanna make sure nothing on my pc that shouldnt be (i purchase stuff all the time)

Logfile of HijackThis v1.99.1
Scan saved at 10:27:37 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul Ellis\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_a.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

anything that shouldnt be there?

thanks in advance

 

[Glaswegian]

Hi and welcome to TSF.

There’s nothing obvious jumping out at me, but we’ll run a quick scan and see if anything shows up.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Anti Virus Required
I notice that you do not appear to have any active anti virus programme. Surfing the web without an AV is like begging for every infection that's around to be installed on your computer. It can take as little as 8 seconds to infect an unprotected PC! If you already have an AV programme please ensure it is running. If not, here are three good free Antivirus products which are available:
AVG
Avast!
BitDefender Free

Please install one of these now.



Please download combofix.exe to your desktop.

IMPORTANT - You must place combofix on your desktop!!


Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


Please post back with c:\combofix.txt and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.

 

[ellister]

I got avast running and it found nothing... heres combofix

"Paul Ellis" - 07-01-21 8:09:55 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Paul Ellis\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\SigmaTel\MSCN\_desktop.ini
C:\Program Files\SigmaTel\MSCN\Docs\_desktop.ini
C:\Program Files\SigmaTel\MSCN\program\_desktop.ini
C:\Program Files\SigmaTel\MSCN\program\Apps\_desktop.ini
C:\Program Files\SigmaTel\MSCN\program\Binary\_desktop.ini
C:\Program Files\SigmaTel\MSCN\program\Drivers\_desktop.ini
C:\Program Files\SigmaTel\MSCN\program\Programs\_desktop.ini
C:\Program Files\SigmaTel\MSCN\res\_desktop.ini
C:\DOCUME~1\PAULEL~1\Application Data\Install.dat
C:\INSTALL.LOG
C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))


2007-01-20 20:58 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-20 20:58 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-20 20:58 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-20 20:58 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-20 20:58 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-20 20:58 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-20 20:58 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-20 20:58 <DIR> d-------- C:\Program Files\Alwil Software
2007-01-09 20:07 278,528 --a------ C:\WINDOWS\system32\PodcastBarWeb.dll
2007-01-09 20:07 <DIR> d-------- C:\Program Files\boba
2007-01-09 19:52 <DIR> d-------- C:\DOCUME~1\PAULEL~1\Application Data\PPLive
2007-01-09 19:51 <DIR> d-------- C:\Program Files\PPLive
2007-01-09 19:45 <DIR> d-------- C:\Program Files\PPMate
2007-01-09 19:45 <DIR> d-------- C:\Program Files\Common Files\Synacast
2007-01-09 19:45 <DIR> d-------- C:\ppmaterecord
2007-01-09 19:45 <DIR> d-------- C:\DOCUME~1\PAULEL~1\Application Data\PPMate
2007-01-03 19:45 34,297 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-01-03 19:45 <DIR> d-------- C:\Program Files\SigmaTel
2006-12-29 11:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2006-12-25 19:16 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-25 12:47 <DIR> dr-h----- C:\DOCUME~1\PAULEL~1\Application Data\SecuROM
2006-12-25 12:40 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-12-25 12:40 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-12-25 12:40 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-12-25 12:40 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-12-25 12:40 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-12-25 12:40 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-12-25 10:42 <DIR> d-------- C:\Program Files\Atari


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-20 22:02 -------- d--h----- C:\Program Files\installshield installation information
2007-01-18 14:29 -------- d-------- C:\Program Files\mirc
2007-01-16 11:40 -------- d-------- C:\Program Files\world of warcraft
2006-12-29 11:01 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-29 11:01 -------- d-------- C:\DOCUME~1\PAULEL~1\Application Data\adobe
2006-12-25 12:47 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-12-21 23:32 -------- d-------- C:\Program Files\yahoo!
2006-12-17 18:36 -------- d-------- C:\Program Files\skype
2006-12-16 13:06 -------- d-------- C:\DOCUME~1\PAULEL~1\Application Data\ppstream
2006-12-16 12:53 -------- d-------- C:\Program Files\21cn
2006-12-08 20:17 -------- d-------- C:\Program Files\getright
2006-12-07 23:51 -------- d-------- C:\Program Files\musicmatch
2006-12-06 15:44 -------- d-------- C:\DOCUME~1\PAULEL~1\Application Data\getrighttogo
2006-11-28 20:19 -------- d-------- C:\Program Files\tvuplayer
2006-11-28 13:59 -------- d-------- C:\Program Files\onshare
2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SystemMgr"="C:\\WINDOWS\\system32\\Ir32_a.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://wow.allakhazam.com/cluster/map.pl?mobid=10182;zoneid=1005;size=small

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AAVMKER4
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ASWMON2
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ASWRDR
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ASWTDI
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ASWUPDSV
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVAST!_ANTIVIRUS
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVAST!_MAIL_SCANNER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVAST!_WEB_SCANNER

Completion time: 07-01-21 8:10:52

 

[Glaswegian]

That looks OK - how are things running now?

 

[ellister]

there was nothing running wrong its just someone managed to get into my wow (world of warcraft) account as strip me clean...

so nothing is wrong, makes you wonder how they got in :/

thanks guys

 

[Glaswegian]

I have no answer to that I'm afraid, but at least you're clean from a malware point of view. Perhaps take this up with those running the game? About all I can suggest.