TechSpot

Infected with a keylogger, please help

Inactive
By Tecnot
Dec 25, 2010
Topic Status:
Not open for further replies.
  1. Happy Holidays!

    Recently my email address was compromised, along with my World of Warcraft account. I changed to another email address, and that was compromised too the next day (I can no longer access either email address as they changed the security questions as well). Undoubtedly I have a keylogger on my system, however I can't figure out how to remove it! I've changed my bank information on another system so that doesn't get compromised. The email I created to register for this site will likely be taken from me soon as well, however I had no choice but to use this infected PC for that in order to get the logs to post. Ad-Aware, AVG anti-virus, Windows Defender, Spybot S&D, and Malware Bytes full scans have all come up with nothing; AVG Tune-up and CCleaner have not solved the problem either. Please help me eliminate this keylogger, it has me stumped!

    Following the sticky guidelines, I'll now post the logs from Malware Bytes, GMER, and DDS.



    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5388

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    12/24/2010 12:25:17 PM
    mbam-log-2010-12-24 (12-25-17).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 344595
    Time elapsed: 49 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-25 07:17:35
    Windows 6.0.6002 Service Pack 2
    Running: dhr3zlcw.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x8A 0xD5 0x75 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x8A 0xD5 0x75 ...

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Tom at 7:26:04.96 on Sat 12/25/2010
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1712 [GMT -8:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\MHotKey.exe
    C:\Windows\ChiFuncExt.exe
    C:\Windows\system32\agr64svc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\CNYHKey.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\ModLedKey.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\taskeng.exe
    C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Tom\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Bar = Preserve
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
    mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
    mRun: [UpdReg] C:\Windows\UpdReg.EXE
    mRun: [LchDrvKey] LchDrvKey.exe
    mRun: [LedKey] CNYHKey.exe
    mRun: [eRecoveryService]
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mRunOnce: [B Register C:\Program Files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax",DllRegisterServer
    dRunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun-x64: [RunDLLEntry] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
    mRun-x64: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
    mRun-x64: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    mRun-x64: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
    FF - prefs.js: browser.search.selectedEngine - Winamp Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox\components\avgssff.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - C:\Program Files (x86)\AVG\AVG10\Firefox

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2008-1-9 55024]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-9-7 305232]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-9 382032]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-10-26 203776]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
    R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-11-11 24576]
    R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-10-26 8012288]
    R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-10-26 287232]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 133712]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2008-9-30 316544]
    R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\System32\drivers\point64k.sys [2009-5-8 33160]
    R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RTS5121.sys [2008-11-11 204288]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-1-9 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-1-9 79360]
    S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-1-9 1245064]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-23 89920]
    S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

    =============== File Associations ===============

    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

    =============== Created Last 30 ================

    2010-12-25 07:03:42 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2010-12-25 07:03:42 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
    2010-12-24 15:13:33 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
    2010-12-24 15:09:55 -------- d-----w- C:\Users\Tom\AppData\Local\Sunbelt Software
    2010-12-24 13:58:27 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-24 13:58:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2010-12-24 13:28:52 -------- d--h--w- C:\$AVG
    2010-12-24 11:37:30 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
    2010-12-24 11:35:55 -------- d-----w- C:\Windows\System32\drivers\AVG
    2010-12-24 11:33:56 -------- d-----w- C:\Program Files (x86)\AVG
    2010-12-24 09:58:12 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
    2010-12-14 20:13:59 77312 ----a-w- C:\Windows\System32\iesetup.dll
    2010-12-06 01:49:36 0 ----a-w- C:\Windows\ativpsrm.bin
    2010-12-06 01:43:24 -------- d-----w- C:\Program Files (x86)\ATI Technologies
    2010-12-06 01:43:18 -------- d-----w- C:\Program Files\ATI
    2010-12-06 01:42:44 -------- d-----w- C:\Program Files\ATI Technologies
    2010-12-06 01:42:01 -------- d-----w- C:\ATI

    ==================== Find3M ====================

    2010-12-21 02:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2010-11-10 06:20:56 382032 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
    2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll
    2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll
    2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll
    2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe
    2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
    2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
    2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll
    2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll
    2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
    2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll
    2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec
    2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec
    2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
    2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
    2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
    2010-10-28 13:56:57 2048 ----a-w- C:\Windows\System32\tzres.dll
    2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2010-10-27 04:00:14 8012288 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
    2010-10-27 03:25:36 21422592 ----a-w- C:\Windows\System32\atio6axx.dll
    2010-10-27 03:08:16 16281600 ----a-w- C:\Windows\SysWow64\atioglxx.dll
    2010-10-27 02:55:30 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
    2010-10-27 02:55:22 547328 ----a-w- C:\Windows\SysWow64\aticfx32.dll
    2010-10-27 02:54:22 645120 ----a-w- C:\Windows\System32\aticfx64.dll
    2010-10-27 02:52:18 450560 ----a-w- C:\Windows\System32\ATIDEMGX.dll
    2010-10-27 02:52:12 478208 ----a-w- C:\Windows\System32\atieclxx.exe
    2010-10-27 02:51:36 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
    2010-10-27 02:50:28 120320 ----a-w- C:\Windows\System32\atitmm64.dll
    2010-10-27 02:50:14 423424 ----a-w- C:\Windows\System32\atipdl64.dll
    2010-10-27 02:50:08 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
    2010-10-27 02:49:56 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
    2010-10-27 02:49:52 16384 ----a-w- C:\Windows\System32\atimuixx.dll
    2010-10-27 02:49:48 59392 ----a-w- C:\Windows\System32\atiedu64.dll
    2010-10-27 02:49:44 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
    2010-10-27 02:46:56 4020736 ----a-w- C:\Windows\SysWow64\atidxx32.dll
    2010-10-27 02:38:02 4744704 ----a-w- C:\Windows\System32\atidxx64.dll
    2010-10-27 02:35:28 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
    2010-10-27 02:35:26 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
    2010-10-27 02:35:18 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
    2010-10-27 02:35:16 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
    2010-10-27 02:35:06 6815744 ----a-w- C:\Windows\System32\aticaldd64.dll
    2010-10-27 02:33:50 5441536 ----a-w- C:\Windows\SysWow64\aticaldd.dll
    2010-10-27 02:28:20 4094464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
    2010-10-27 02:22:02 5218304 ----a-w- C:\Windows\System32\atiumd64.dll
    2010-10-27 02:14:58 58880 ----a-w- C:\Windows\System32\coinst.dll
    2010-10-27 02:14:56 349184 ----a-w- C:\Windows\System32\atiadlxx.dll
    2010-10-27 02:14:50 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
    2010-10-27 02:14:42 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
    2010-10-27 02:14:40 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
    2010-10-27 02:14:40 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
    2010-10-27 02:14:36 31744 ----a-w- C:\Windows\System32\atig6txx.dll
    2010-10-27 02:14:30 27136 ----a-w- C:\Windows\SysWow64\atigktxx.dll
    2010-10-27 02:14:22 287232 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
    2010-10-27 02:13:42 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
    2010-10-27 02:13:34 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
    2010-10-27 02:13:28 37888 ----a-w- C:\Windows\System32\atiu9p64.dll
    2010-10-27 02:13:22 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
    2010-10-27 02:13:04 26112 ----a-w- C:\Windows\System32\atitmp64.dll
    2010-10-27 02:12:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
    2010-10-27 01:57:02 3221504 ----a-w- C:\Windows\System32\atiumd6a.dll
    2010-10-27 01:50:08 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
    2010-10-27 01:37:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
    2010-10-27 01:37:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
    2010-10-27 01:37:12 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
    2010-10-27 01:37:12 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
    2010-10-19 18:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
    2010-10-18 15:35:48 87552 ----a-w- C:\Windows\System32\consent.exe
    2010-10-18 15:25:36 2753536 ----a-w- C:\Windows\System32\win32k.sys

    ============= FINISH: 7:26:28.32 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/11/2008 5:13:35 PM
    System Uptime: 12/25/2010 6:34:07 AM (1 hours ago)

    Motherboard: Gateway | | TBGM01
    Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | CPU 1 | 2667/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 689 GiB total, 202.579 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================


    µTorrent
    AC3Filter 1.63b
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    Age of Wonders
    Amazon MP3 Downloader 1.0.3
    Apple Software Update
    ATMA V 5.05
    AVerMedia M791 PCIe Combo NTSC/ATSC 6.104.64.5
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    ccc-core-static
    CCC Help English
    Compatibility Pack for the 2007 Office system
    Creative ALchemy
    Creative MediaSource 5
    CyberLink LabelPrint
    CyberLink Power2Go
    D3DX10
    Diablo II
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    Dragon Age: Origins
    Driver Sweeper version 2.5.0
    FLV Player 2.0 (build 25)
    Fraps
    Gateway Games
    Gateway Recovery Management
    GearDrvs
    Heroes of Might and Magic V
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 5
    KB0817 Keyboard Driver
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Money Essentials
    Microsoft Money Shared Libraries
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox (3.6.13)
    MSVCRT
    NVIDIA PhysX
    Peggle Deluxe 1.01
    Peggle Nights Deluxe 1.0
    Peggle World of Warcraft Edition
    QuickTime
    RealPlayer
    Realtek Card Reader
    RealUpgrade 1.0
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Segoe UI
    SmartCopy
    SmartLauncher
    Sound Blaster X-Fi MB
    Spybot - Search & Destroy
    Star Wars Empire at War
    Star Wars Empire at War Forces of Corruption
    Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
    Station Launcher
    The Lord of the Rings Online™ v03.02.03.8013
    Torchlight
    TreeSize Free V2.4
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    Warcraft III
    Warcraft III: All Products
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Media Player Firefox Plugin
    WinRAR archiver
    World of Warcraft

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Which email are you using? If it's web-based such as Hotmail, your account could have been hacked from the internet. Did you set up the new account in the same mail program? What happened to let you know the account was compromised?

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    We'll see if either of these programs turns anything up. You will have to uninstall AVG to run Combofix. Try disabling it first- but if you get the error message about AVG being on the system, Combofix can't run, you'll have to remove it.
     
  3. Tecnot

    Tecnot TS Rookie Topic Starter

    The first email was hotmail, and the second and third were gmail. I could tell that my Warcraft account was compromised (first notification of the infection) as I was online at the time, and it kicked me off as another user logged in from a different address and changed the password. Trying to log into any email account I've accessed recently leads to the discovery of a changed password and security question despite 12+ digit long strings of random letters and numbers I write down on a piece of paper that no one has access to but myself.

    It's pretty common knowledge that the hijackers are based out of China, and their goals are to take control of virtual accounts and items for real monetary sale. Often fraudulent transactions towards a bank or credit account are made as well. By also controlling email accounts involved they can ensure a user cannot regain access from automated systems, thus securing the theft. This all leads me to believe they are recording keystrokes from this machine, and possibly more (such as images captured at relevant times).

    I've spent many, many hours trying to piece together bits of info and learn this stuff for myself. It's quite a daunting task. My uneducated guess tells me that the culprits are ChiFuncExt.exe, MHotKey.exe, CNYHKey.exe, ModLedKey.exe and probably others (for running processes at least). I don't know much about the registry and files. The reason I suspect these processes is that I use a microsoft wireless keyboard that should be using intellitype software drivers, and these programs are made by Chicony (a Chinese keyboard manufacturer) or could be malware disguised as such. I have no clue how the information is transmitted to the hijacker through the internet.



    Here are the results from temporarily disabling AVG and running Eset NOD32 (Remove found threats / Scan archives unchecked; Scan unwanted apps / Scan unsafe apps / Anti-stealth technology are checked):

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=923bfc765d0ecd419bcd47cc92f03147
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-12-26 06:44:13
    # local_time=2010-12-25 10:44:13 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1032 16777213 100 88 0 50066268 0 0
    # compatibility_mode=5893 16776574 100 52 0 129940913 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=204119
    # found=0
    # cleaned=0
    # scan_time=3638



    Uninstalled AVG and ran ComboFix; here are the results (towards the end of the process it said PEV.cfxxe has stopped working numerous times on the Vista 64bit operating system, if this is of any significance).

    ComboFix 10-12-25.02 - Tom 12/26/2010 1:23.1.8 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1826 [GMT -8:00]
    Running from: c:\users\Tom\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
    .

    2010-12-26 09:31 . 2010-12-26 09:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
    2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
    2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
    2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
    2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
    2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
    2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
    2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    "B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
    R3 gwfilt64;gwfilt64;c:\windows\system32\drivers\gwfilt64.sys [x]
    R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
    R3 SysInfo;SysInfo;c:\windows\system32\drivers\SysInfo.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
    "RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
    mLocal Page = c:\windows\SysWOW64\blank.htm
    FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
    FF - prefs.js: browser.search.selectedEngine - Winamp Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    .
    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKLM-Run-eRecoveryService - (no file)


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2010-12-26 01:33:54
    ComboFix-quarantined-files.txt 2010-12-26 09:33

    Pre-Run: 216,132,399,104 bytes free
    Post-Run: 216,041,463,808 bytes free

    - - End Of File - - 9FECC8738E9F1B937FAAC86133F34907



    I really appreciate the help. My hope is to get the system cleaned up, and then perhaps share information with individuals who may have the same thing going on but are as or more clueless than I am on where and how to solve the problem at hand (such that this compromise method doesn't recur).
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have 8 versions of Java as addons in Firefox.These are a vulnerability.
    Please open Firefox> Tools> Addons> highlight and remove versions v6u13 through v621.
    Close Addons

    Check this site .Java Updates The current version is v6u23. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    NOTE: you do not have to use the addons feature in Firefox for Java. When you keep it updated through Programs, this will include Firefox.

    I know you're looking for a keylogger, but I'm not seeing it. Consider this please: yes, a lot of hacking and cracking comes out of the CHINANET backbone. One reason is because they have the highest per capita internet access of any nation. But to suspect that China is behind you problem because your motherboard was made in China is foolish. Almost everything you turn over and read the label on the bottom says 'Made in China.'!

    As for helping others with the same problem, when we find it, keep in mind that malware help is very specific for that user, for that machine. Even though we may use the same scans, what we do with the results are specific.
    ==============================================
    I'm going to direct you to How to Use Microsoft Process Explorer to Find Keyloggers
    It is well setup including screen shots and take you step by step.

    Because of the nature of a keylogger, there aren't many specific>legitimate and reliable< programs to find one. Spybot Search & destroy has the ability, but you said you ran it with no results.
    ======================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\DRIVERS\Rts516xIR.sys
    c:\windows\system32\drivers\gwfilt64.sys  
    Folder::
    
    DDS::
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = mLocal Page = c:\windows\SysWOW64\blank.htm
    mRun: [LchDrvKey] LchDrvKey.exe
    mRun: [LedKey] CNYHKey.exe
    RegLock::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
    "LchDrvKey"=-
    "LedKey"=-
    
    Driver::
    Rts516xIR
    gwfilt64
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Note: The 'key' entries are not malware. I am disabling them as a precaution.
     
  5. Tecnot

    Tecnot TS Rookie Topic Starter

    Alright, I removed the 8 Java Console versions from Firefox addons (no idea why Java updates over the last couple years have been leaving vulnerable java console versions in firefox). I also removed the .NET framework assistant from firefox as per instructions here (it has always been disabled anyway): http://support.microsoft.com/kb/963707

    Downloaded Java and installed Update 23 (it replaced Update 22). Uninstalled the 'Update 5' that was also present in Add/Remove programs for some reason. Installing Update 23 added another Java Console to Firefox, which I removed. All that remains in Firefox addons are AdBlock Plus, ChatZilla (IRC program for mozilla channels), and NoScript (where I went through the whitelist name by name and ensured only a dozen or so trusted sites are listed like microsoft, amd, google, mozilla, my bank, etc).

    I want to say I have some kind of active win32.hooker trojan that has been stealing my information and passwords (keep in mind I have no idea what win32.hooker trojan even means, it's just a name I have come across with symptoms matching what is happening as I google stuff). The only way I believe this could have been contracted is when about 6 months ago, a youth visited who I discovered had downloaded a program called Poweriso to run some old game on a CD. Perhaps it could sit dormant for extended periods, only to appear at certain times?

    Downloaded and ran the Process Explorer utility (nifty tool compared to ctrl+shift+esc). I can't find any .dll that automatically highlights in purple as suspicious. I didn't kill any processes or change anything at all, just viewed (as per the forum guide to not change anything while someone is helping). I also tried viewing this utility while having Warcraft and Hotmail open with gibberish in the entry fields (on the hunch that the keylogger is dormant until it sees something to act on), but still everything was tagged with Microsoft Corporation or appears normal to my eyes (other than command line C:\Windows\MHotKey.exe having different capitalizations from path C:\Windows\mHotkey.exe).



    New ComboFix results:

    ComboFix 10-12-26.01 - Tom 12/27/2010 2:55.2.8 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1654 [GMT -8:00]
    Running from: c:\users\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\users\Tom\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\system32\drivers\gwfilt64.sys"
    "c:\windows\system32\DRIVERS\Rts516xIR.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_gwfilt64
    -------\Service_Rts516xIR


    ((((((((((((((((((((((((( Files Created from 2010-11-27 to 2010-12-27 )))))))))))))))))))))))))))))))
    .

    2010-12-27 11:03 . 2010-12-27 11:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
    2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
    2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
    2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
    2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
    2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
    2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
    2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-13 02:53 . 2010-06-08 14:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-26_09.31.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2010-12-27 06:53 63188 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-02-01 05:21 . 2010-12-26 09:15 15424 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
    + 2009-02-01 05:21 . 2010-12-27 06:53 15424 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
    - 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-02-01 04:17 . 2010-12-27 07:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-02-01 04:17 . 2010-12-25 16:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-02-01 04:17 . 2010-12-27 07:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-02-01 04:17 . 2010-12-27 07:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-19 19:04 . 2010-12-26 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-09-19 19:04 . 2010-12-26 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-12-27 11:04 . 2010-12-27 11:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-12-27 11:04 . 2010-12-27 11:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-12-27 06:22 . 2010-11-13 02:53 157472 c:\windows\SysWOW64\javaws.exe
    - 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\javaw.exe
    + 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\javaw.exe
    - 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\java.exe
    + 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\java.exe
    + 2006-11-02 15:45 . 2010-12-27 06:53 157500 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 12:46 . 2010-12-26 09:20 613032 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2010-12-27 06:59 613032 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2010-12-26 09:20 107990 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2010-12-27 06:59 107990 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    "B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
    R3 SysInfo;SysInfo;c:\windows\system32\drivers\SysInfo.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF25038.cfxxe" [X]
    "RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = %SystemRoot%\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    .
    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\MHotKey.exe
    c:\windows\ChiFuncExt.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-27 03:10:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-27 11:10
    ComboFix2.txt 2010-12-26 09:33

    Pre-Run: 228,715,298,816 bytes free
    Post-Run: 228,911,181,824 bytes free

    - - End Of File - - 40ECEE83183C82E050F1CDE9D2D7E8D8


    (Edited to add a minor note - After doing all of this, Window's Update decided to download Microsoft Security Essentials for Vista 64 to replace the missing AVG I suppose, and a scan found no threats. Windows Update also downloaded an update to .NET Framework 3.5 sp1 for the .NET Framework assistant 1.0 x64 for Firefox - I removed it again from Firefox addons).
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding PowerISO:
    This is a disk image utility that can open, create, edit, compress, encrypt, mount and extract ISO files. This is a legitimate program and does come with a free trial. IF he downloaded it from a reputable site, it shouldn't be a problem.

    Regarding this: Windows Update & MSE:
    If you have given Windows free reign to download and install everything, then you must share in the consequences. I have never give up my control of my system to Microsoft. I decide which update I want and refuse those I don't, after exercising my right to check out an update and it's information before I decided whether to d/l and install it.

    Regarding Java: Unfortunately, the new updates do not usually overwrite the older versions. A travesty I think since it leaves vulnerabilities. And I see many logs with auto-Java update who neither have the latest version and who still have older versions.

    Regarding Sites in the Trusted Zone:
    You don't need to put any site in the trusted zone. The zone has lower security and domains do not need to be in there for you to exchange info. It's a gimmick when they tell you to put them in the Trusted Zone because then they can get junk email promotional emails through to you.
    =====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\SysInfo.sys 
    Folder::
    RegLock::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"=-
    Driver::
    SysInfo
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please run this online virus scan:
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
     
  7. Tecnot

    Tecnot TS Rookie Topic Starter

    Ah my mistake on wording there with Windows update. Window's didn't automatically install, they came up as 'recommended' and 'optional' updates (I did so since they are security related). Regarding Poweriso, after some discussion I learned that my relative did not get it from a reputable site (rather via torrent without my consent and using poor judgement). I use torrent technology through utorrent rarely for legitimate purposes (like when a software developer distributes via torrent, but their proprietary software fails to perform well.) I now believe this to be the most logical point of contraction, 6 months ago (unless those java vulnerabilities allowed something through). Unfortunately this does me no good in identifying what exactly the infection is that may have come with it.

    ComboFix 10-12-28.03 - Tom 12/29/2010 7:19.3.8 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1539 [GMT -8:00]
    Running from: c:\users\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\users\Tom\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
    SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\system32\drivers\SysInfo.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SysInfo


    ((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
    .

    2010-12-29 15:26 . 2010-12-29 15:28 -------- d-----w- c:\users\Tom\AppData\Local\temp
    2010-12-29 15:26 . 2010-12-29 15:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-28 14:46 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-12-28 14:46 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Microsoft Antimalware\Definition Updates\{A9C95022-1F2D-44F5-916B-CAF98E2E45A3}\mpengine.dll
    2010-12-27 12:02 . 2010-12-27 12:02 -------- d-----w- c:\program files (x86)\Microsoft Antimalware
    2010-12-27 12:02 . 2010-12-27 12:02 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
    2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
    2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
    2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
    2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
    2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
    2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
    2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
    2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
    2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-13 02:53 . 2010-06-08 14:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-26_09.31.15 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2010-12-28 16:36 63760 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-02-01 05:21 . 2010-12-28 16:36 16076 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
    + 2010-03-26 05:30 . 2010-03-26 05:30 40832 c:\windows\system32\drivers\MpNWMon.sys
    - 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-02-01 04:17 . 2010-12-28 23:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-02-01 04:17 . 2010-12-28 23:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-02-01 04:17 . 2010-12-25 16:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-02-01 04:17 . 2010-12-28 23:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-09-19 19:04 . 2010-12-28 16:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-09-19 19:04 . 2010-12-28 16:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2006-11-02 12:40 . 2010-12-25 17:49 86016 c:\windows\inf\infstor.dat
    + 2006-11-02 12:40 . 2010-12-27 13:18 86016 c:\windows\inf\infstor.dat
    + 2006-11-02 12:40 . 2010-12-27 13:18 51200 c:\windows\inf\infpub.dat
    - 2006-11-02 12:40 . 2010-12-25 17:49 51200 c:\windows\inf\infpub.dat
    - 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-12-29 15:28 . 2010-12-29 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-12-29 15:28 . 2010-12-29 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-12-27 06:22 . 2010-11-13 02:53 157472 c:\windows\SysWOW64\javaws.exe
    - 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\javaw.exe
    + 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\javaw.exe
    - 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\java.exe
    + 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\java.exe
    + 2006-11-02 15:45 . 2010-12-28 16:36 157862 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 12:46 . 2010-12-28 16:39 613032 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2010-12-26 09:20 613032 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2010-12-28 16:39 107990 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2010-12-26 09:20 107990 c:\windows\system32\perfc009.dat
    + 2009-10-03 04:54 . 2010-10-19 20:51 270720 c:\windows\system32\MpSigStub.exe
    - 2009-10-03 04:54 . 2010-10-19 18:41 270720 c:\windows\system32\MpSigStub.exe
    + 2010-03-26 05:30 . 2010-03-26 05:30 173984 c:\windows\system32\drivers\MpFilter.sys
    + 2010-12-27 12:02 . 2010-12-27 12:02 301056 c:\windows\Installer\3415cb.msi
    + 2010-12-27 12:02 . 2010-12-27 12:02 335360 c:\windows\Installer\3415c6.msi
    + 2006-11-02 12:40 . 2010-12-27 13:18 143360 c:\windows\inf\infstrng.dat
    - 2006-11-02 12:40 . 2010-12-25 17:49 143360 c:\windows\inf\infstrng.dat
    + 2010-12-27 13:05 . 2010-12-27 13:05 2283008 c:\windows\Installer\61d802.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    "B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF18827.cfxxe" [X]
    "RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = %SystemRoot%\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\MHotKey.exe
    c:\windows\ChiFuncExt.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-29 07:33:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-29 15:33
    ComboFix2.txt 2010-12-27 11:10
    ComboFix3.txt 2010-12-26 09:33

    Pre-Run: 252,964,798,464 bytes free
    Post-Run: 252,959,793,152 bytes free

    - - End Of File - - 52B0FD0BE0E93F39390EA693DF538A6F



    Kaspersky online scanner: I went to the link and ran this in 32bit Internet Explorer run as admin as per directions. After the lengthy database update downloaded, the program stopped. From perusing Kaspersky's main site, it appears that this Kaspersky Online Scanner utility is offline until they are ready to deploy an improved version. http://www.kaspersky.com/virusscanner
     
  8. Tecnot

    Tecnot TS Rookie Topic Starter

    Are you not seeing anything here Bobbye? A lot of people have been having this issue, and none of them have been able to find the source or remove it. As for another possible lead, the timing of this report seems to coincide well with the stolen identity information in real time:

    http://www.microsoft.com/technet/security/advisory/2488013.mspx

    As this has been ongoing for awhile with no remedy in sight, I've decided to format and reinstall. Ugh, the lesser of two evils I guess. I've ordered recovery software for 20 bones to arrive in a week, straight from the manufacturer of my PC (there is a recovery partition, however I don't trust that to be clean).

    Before I do that, however, I'd like to back up recent data if it's possible to do so safely (things like wedding photos, mp3s I've purchased, bookmarks, etc onto Dvd). Could you please take me through the steps necessary to undo and remove whatever it is that has been done by ComboFix as you tried to help me search for and pinpoint the malware.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding uTorrent:
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. :
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    =================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    I did not see any indication of malware in these logs.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.