Inactive Infected with a keylogger, please help

[Tecnot]

Happy Holidays!

Recently my email address was compromised, along with my World of Warcraft account. I changed to another email address, and that was compromised too the next day (I can no longer access either email address as they changed the security questions as well). Undoubtedly I have a keylogger on my system, however I can't figure out how to remove it! I've changed my bank information on another system so that doesn't get compromised. The email I created to register for this site will likely be taken from me soon as well, however I had no choice but to use this infected PC for that in order to get the logs to post. Ad-Aware, AVG anti-virus, Windows Defender, Spybot S&D, and Malware Bytes full scans have all come up with nothing; AVG Tune-up and CCleaner have not solved the problem either. Please help me eliminate this keylogger, it has me stumped!

Following the sticky guidelines, I'll now post the logs from Malware Bytes, GMER, and DDS.



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5388

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

12/24/2010 12:25:17 PM
mbam-log-2010-12-24 (12-25-17).txt

Scan type: Full scan (C:\|)
Objects scanned: 344595
Time elapsed: 49 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-25 07:17:35
Windows 6.0.6002 Service Pack 2
Running: dhr3zlcw.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x8A 0xD5 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x8A 0xD5 0x75 ...

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Tom at 7:26:04.96 on Sat 12/25/2010
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1712 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\MHotKey.exe
C:\Windows\ChiFuncExt.exe
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\CNYHKey.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\ModLedKey.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tom\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
mRun: [eRecoveryService]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRunOnce: [B Register C:\Program Files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax] "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax",DllRegisterServer
dRunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RunDLLEntry] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
mRun-x64: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
mRun-x64: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
mRun-x64: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox\components\avgssff.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - C:\Program Files (x86)\AVG\AVG10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2008-1-9 55024]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-9-7 305232]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-9 382032]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-10-26 203776]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-11-11 24576]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-10-26 8012288]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-10-26 287232]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 133712]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2008-9-30 316544]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\System32\drivers\point64k.sys [2009-5-8 33160]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RTS5121.sys [2008-11-11 204288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-1-9 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-1-9 79360]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-1-9 1245064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-23 89920]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

=============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-12-25 07:03:42 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-12-25 07:03:42 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-12-24 15:13:33 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-12-24 15:09:55 -------- d-----w- C:\Users\Tom\AppData\Local\Sunbelt Software
2010-12-24 13:58:27 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-24 13:58:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-12-24 13:28:52 -------- d--h--w- C:\$AVG
2010-12-24 11:37:30 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2010-12-24 11:35:55 -------- d-----w- C:\Windows\System32\drivers\AVG
2010-12-24 11:33:56 -------- d-----w- C:\Program Files (x86)\AVG
2010-12-24 09:58:12 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
2010-12-14 20:13:59 77312 ----a-w- C:\Windows\System32\iesetup.dll
2010-12-06 01:49:36 0 ----a-w- C:\Windows\ativpsrm.bin
2010-12-06 01:43:24 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2010-12-06 01:43:18 -------- d-----w- C:\Program Files\ATI
2010-12-06 01:42:44 -------- d-----w- C:\Program Files\ATI Technologies
2010-12-06 01:42:01 -------- d-----w- C:\ATI

==================== Find3M ====================

2010-12-21 02:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-10 06:20:56 382032 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll
2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec
2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-28 13:56:57 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-27 04:00:14 8012288 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2010-10-27 03:25:36 21422592 ----a-w- C:\Windows\System32\atio6axx.dll
2010-10-27 03:08:16 16281600 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2010-10-27 02:55:30 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
2010-10-27 02:55:22 547328 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2010-10-27 02:54:22 645120 ----a-w- C:\Windows\System32\aticfx64.dll
2010-10-27 02:52:18 450560 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2010-10-27 02:52:12 478208 ----a-w- C:\Windows\System32\atieclxx.exe
2010-10-27 02:51:36 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2010-10-27 02:50:28 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2010-10-27 02:50:14 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2010-10-27 02:50:08 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2010-10-27 02:49:56 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2010-10-27 02:49:52 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2010-10-27 02:49:48 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2010-10-27 02:49:44 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2010-10-27 02:46:56 4020736 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2010-10-27 02:38:02 4744704 ----a-w- C:\Windows\System32\atidxx64.dll
2010-10-27 02:35:28 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2010-10-27 02:35:26 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2010-10-27 02:35:18 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2010-10-27 02:35:16 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2010-10-27 02:35:06 6815744 ----a-w- C:\Windows\System32\aticaldd64.dll
2010-10-27 02:33:50 5441536 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2010-10-27 02:28:20 4094464 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2010-10-27 02:22:02 5218304 ----a-w- C:\Windows\System32\atiumd64.dll
2010-10-27 02:14:58 58880 ----a-w- C:\Windows\System32\coinst.dll
2010-10-27 02:14:56 349184 ----a-w- C:\Windows\System32\atiadlxx.dll
2010-10-27 02:14:50 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2010-10-27 02:14:42 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2010-10-27 02:14:40 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2010-10-27 02:14:40 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2010-10-27 02:14:36 31744 ----a-w- C:\Windows\System32\atig6txx.dll
2010-10-27 02:14:30 27136 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2010-10-27 02:14:22 287232 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2010-10-27 02:13:42 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
2010-10-27 02:13:34 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2010-10-27 02:13:28 37888 ----a-w- C:\Windows\System32\atiu9p64.dll
2010-10-27 02:13:22 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2010-10-27 02:13:04 26112 ----a-w- C:\Windows\System32\atitmp64.dll
2010-10-27 02:12:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2010-10-27 01:57:02 3221504 ----a-w- C:\Windows\System32\atiumd6a.dll
2010-10-27 01:50:08 3460096 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2010-10-27 01:37:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2010-10-27 01:37:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2010-10-27 01:37:12 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2010-10-27 01:37:12 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2010-10-19 18:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-18 15:35:48 87552 ----a-w- C:\Windows\System32\consent.exe
2010-10-18 15:25:36 2753536 ----a-w- C:\Windows\System32\win32k.sys

============= FINISH: 7:26:28.32 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 11/11/2008 5:13:35 PM
System Uptime: 12/25/2010 6:34:07 AM (1 hours ago)

Motherboard: Gateway | | TBGM01
Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | CPU 1 | 2667/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 689 GiB total, 202.579 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


µTorrent
AC3Filter 1.63b
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Age of Wonders
Amazon MP3 Downloader 1.0.3
Apple Software Update
ATMA V 5.05
AVerMedia M791 PCIe Combo NTSC/ATSC 6.104.64.5
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
Compatibility Pack for the 2007 Office system
Creative ALchemy
Creative MediaSource 5
CyberLink LabelPrint
CyberLink Power2Go
D3DX10
Diablo II
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Dragon Age: Origins
Driver Sweeper version 2.5.0
FLV Player 2.0 (build 25)
Fraps
Gateway Games
Gateway Recovery Management
GearDrvs
Heroes of Might and Magic V
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 5
KB0817 Keyboard Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.13)
MSVCRT
NVIDIA PhysX
Peggle Deluxe 1.01
Peggle Nights Deluxe 1.0
Peggle World of Warcraft Edition
QuickTime
RealPlayer
Realtek Card Reader
RealUpgrade 1.0
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
SmartCopy
SmartLauncher
Sound Blaster X-Fi MB
Spybot - Search & Destroy
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Station Launcher
The Lord of the Rings Online™ v03.02.03.8013
Torchlight
TreeSize Free V2.4
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
Warcraft III
Warcraft III: All Products
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinRAR archiver
World of Warcraft

==== End Of File ===========================

 

[Bobbye]

Which email are you using? If it's web-based such as Hotmail, your account could have been hacked from the internet. Did you set up the new account in the same mail program? What happened to let you know the account was compromised?

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

We'll see if either of these programs turns anything up. You will have to uninstall AVG to run Combofix. Try disabling it first- but if you get the error message about AVG being on the system, Combofix can't run, you'll have to remove it.

 

[Tecnot]

The first email was hotmail, and the second and third were gmail. I could tell that my Warcraft account was compromised (first notification of the infection) as I was online at the time, and it kicked me off as another user logged in from a different address and changed the password. Trying to log into any email account I've accessed recently leads to the discovery of a changed password and security question despite 12+ digit long strings of random letters and numbers I write down on a piece of paper that no one has access to but myself.

It's pretty common knowledge that the hijackers are based out of China, and their goals are to take control of virtual accounts and items for real monetary sale. Often fraudulent transactions towards a bank or credit account are made as well. By also controlling email accounts involved they can ensure a user cannot regain access from automated systems, thus securing the theft. This all leads me to believe they are recording keystrokes from this machine, and possibly more (such as images captured at relevant times).

I've spent many, many hours trying to piece together bits of info and learn this stuff for myself. It's quite a daunting task. My uneducated guess tells me that the culprits are ChiFuncExt.exe, MHotKey.exe, CNYHKey.exe, ModLedKey.exe and probably others (for running processes at least). I don't know much about the registry and files. The reason I suspect these processes is that I use a microsoft wireless keyboard that should be using intellitype software drivers, and these programs are made by Chicony (a Chinese keyboard manufacturer) or could be malware disguised as such. I have no clue how the information is transmitted to the hijacker through the internet.



Here are the results from temporarily disabling AVG and running Eset NOD32 (Remove found threats / Scan archives unchecked; Scan unwanted apps / Scan unsafe apps / Anti-stealth technology are checked):

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=923bfc765d0ecd419bcd47cc92f03147
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-26 06:44:13
# local_time=2010-12-25 10:44:13 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777213 100 88 0 50066268 0 0
# compatibility_mode=5893 16776574 100 52 0 129940913 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=204119
# found=0
# cleaned=0
# scan_time=3638



Uninstalled AVG and ran ComboFix; here are the results (towards the end of the process it said PEV.cfxxe has stopped working numerous times on the Vista 64bit operating system, if this is of any significance).

ComboFix 10-12-25.02 - Tom 12/26/2010 1:23.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1826 [GMT -8:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
.

2010-12-26 09:31 . 2010-12-26 09:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
R3 gwfilt64;gwfilt64;c:\windows\system32\drivers\gwfilt64.sys [x]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SysInfo;SysInfo;c:\windows\system32\drivers\SysInfo.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1108&m=fx6800-01e&c=BB
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-eRecoveryService - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-12-26 01:33:54
ComboFix-quarantined-files.txt 2010-12-26 09:33

Pre-Run: 216,132,399,104 bytes free
Post-Run: 216,041,463,808 bytes free

- - End Of File - - 9FECC8738E9F1B937FAAC86133F34907



I really appreciate the help. My hope is to get the system cleaned up, and then perhaps share information with individuals who may have the same thing going on but are as or more clueless than I am on where and how to solve the problem at hand (such that this compromise method doesn't recur).

 

[Bobbye]

You have 8 versions of Java as addons in Firefox.These are a vulnerability.
Please open Firefox> Tools> Addons> highlight and remove versions v6u13 through v621.
Close Addons

Check this site .Java Updates The current version is v6u23. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

NOTE: you do not have to use the addons feature in Firefox for Java. When you keep it updated through Programs, this will include Firefox.

I know you're looking for a keylogger, but I'm not seeing it. Consider this please: yes, a lot of hacking and cracking comes out of the CHINANET backbone. One reason is because they have the highest per capita internet access of any nation. But to suspect that China is behind you problem because your motherboard was made in China is foolish. Almost everything you turn over and read the label on the bottom says 'Made in China.'!

As for helping others with the same problem, when we find it, keep in mind that malware help is very specific for that user, for that machine. Even though we may use the same scans, what we do with the results are specific.
==============================================
I'm going to direct you to How to Use Microsoft Process Explorer to Find Keyloggers
It is well setup including screen shots and take you step by step.

Because of the nature of a keylogger, there aren't many specific>legitimate and reliable< programs to find one. Spybot Search & destroy has the ability, but you said you ran it with no results.
======================================
Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\windows\system32\DRIVERS\Rts516xIR.sys
c:\windows\system32\drivers\gwfilt64.sys  
Folder::

DDS::
uLocal Page = c:\windows\system32\blank.htm
mStart Page = mLocal Page = c:\windows\SysWOW64\blank.htm
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"LchDrvKey"=-
"LedKey"=-

Driver::
Rts516xIR
gwfilt64

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Note: The 'key' entries are not malware. I am disabling them as a precaution.

 

[Tecnot]

Alright, I removed the 8 Java Console versions from Firefox addons (no idea why Java updates over the last couple years have been leaving vulnerable java console versions in firefox). I also removed the .NET framework assistant from firefox as per instructions here (it has always been disabled anyway): http://support.microsoft.com/kb/963707

Downloaded Java and installed Update 23 (it replaced Update 22). Uninstalled the 'Update 5' that was also present in Add/Remove programs for some reason. Installing Update 23 added another Java Console to Firefox, which I removed. All that remains in Firefox addons are AdBlock Plus, ChatZilla (IRC program for mozilla channels), and NoScript (where I went through the whitelist name by name and ensured only a dozen or so trusted sites are listed like microsoft, amd, google, mozilla, my bank, etc).

I want to say I have some kind of active win32.hooker trojan that has been stealing my information and passwords (keep in mind I have no idea what win32.hooker trojan even means, it's just a name I have come across with symptoms matching what is happening as I google stuff). The only way I believe this could have been contracted is when about 6 months ago, a youth visited who I discovered had downloaded a program called Poweriso to run some old game on a CD. Perhaps it could sit dormant for extended periods, only to appear at certain times?

Downloaded and ran the Process Explorer utility (nifty tool compared to ctrl+shift+esc). I can't find any .dll that automatically highlights in purple as suspicious. I didn't kill any processes or change anything at all, just viewed (as per the forum guide to not change anything while someone is helping). I also tried viewing this utility while having Warcraft and Hotmail open with gibberish in the entry fields (on the hunch that the keylogger is dormant until it sees something to act on), but still everything was tagged with Microsoft Corporation or appears normal to my eyes (other than command line C:\Windows\MHotKey.exe having different capitalizations from path C:\Windows\mHotkey.exe).



New ComboFix results:

ComboFix 10-12-26.01 - Tom 12/27/2010 2:55.2.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1654 [GMT -8:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
Command switches used :: c:\users\Tom\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\gwfilt64.sys"
"c:\windows\system32\DRIVERS\Rts516xIR.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gwfilt64
-------\Service_Rts516xIR


((((((((((((((((((((((((( Files Created from 2010-11-27 to 2010-12-27 )))))))))))))))))))))))))))))))
.

2010-12-27 11:03 . 2010-12-27 11:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 02:53 . 2010-06-08 14:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-26_09.31.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2010-12-27 06:53 63188 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-01 05:21 . 2010-12-26 09:15 15424 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
+ 2009-02-01 05:21 . 2010-12-27 06:53 15424 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
- 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-01 04:17 . 2010-12-27 07:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-01 04:17 . 2010-12-25 16:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-01 04:17 . 2010-12-27 07:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-01 04:17 . 2010-12-27 07:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-19 19:04 . 2010-12-26 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-19 19:04 . 2010-12-26 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-12-27 11:04 . 2010-12-27 11:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-12-27 11:04 . 2010-12-27 11:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-12-27 06:22 . 2010-11-13 02:53 157472 c:\windows\SysWOW64\javaws.exe
- 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\javaw.exe
+ 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\javaw.exe
- 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\java.exe
+ 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\java.exe
+ 2006-11-02 15:45 . 2010-12-27 06:53 157500 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2010-12-26 09:20 613032 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2010-12-27 06:59 613032 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2010-12-26 09:20 107990 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2010-12-27 06:59 107990 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
R3 SysInfo;SysInfo;c:\windows\system32\drivers\SysInfo.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF25038.cfxxe" [X]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]
.
------- Supplementary Scan -------
.
uLocal Page = %SystemRoot%\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2010-12-27 03:10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-27 11:10
ComboFix2.txt 2010-12-26 09:33

Pre-Run: 228,715,298,816 bytes free
Post-Run: 228,911,181,824 bytes free

- - End Of File - - 40ECEE83183C82E050F1CDE9D2D7E8D8


(Edited to add a minor note - After doing all of this, Window's Update decided to download Microsoft Security Essentials for Vista 64 to replace the missing AVG I suppose, and a scan found no threats. Windows Update also downloaded an update to .NET Framework 3.5 sp1 for the .NET Framework assistant 1.0 x64 for Firefox - I removed it again from Firefox addons).

 

[Bobbye]

Regarding PowerISO:
This is a disk image utility that can open, create, edit, compress, encrypt, mount and extract ISO files. This is a legitimate program and does come with a free trial. IF he downloaded it from a reputable site, it shouldn't be a problem.

Regarding this: Windows Update & MSE:

Window's Update decided to download Microsoft Security Essentials

If you have given Windows free reign to download and install everything, then you must share in the consequences. I have never give up my control of my system to Microsoft. I decide which update I want and refuse those I don't, after exercising my right to check out an update and it's information before I decided whether to d/l and install it.

Regarding Java: Unfortunately, the new updates do not usually overwrite the older versions. A travesty I think since it leaves vulnerabilities. And I see many logs with auto-Java update who neither have the latest version and who still have older versions.

Regarding Sites in the Trusted Zone:
You don't need to put any site in the trusted zone. The zone has lower security and domains do not need to be in there for you to exchange info. It's a gimmick when they tell you to put them in the Trusted Zone because then they can get junk email promotional emails through to you.
=====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\SysInfo.sys 
Folder::
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
Driver::
SysInfo
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please run this online virus scan:
Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

 

[Tecnot]

Ah my mistake on wording there with Windows update. Window's didn't automatically install, they came up as 'recommended' and 'optional' updates (I did so since they are security related). Regarding Poweriso, after some discussion I learned that my relative did not get it from a reputable site (rather via torrent without my consent and using poor judgement). I use torrent technology through utorrent rarely for legitimate purposes (like when a software developer distributes via torrent, but their proprietary software fails to perform well.) I now believe this to be the most logical point of contraction, 6 months ago (unless those java vulnerabilities allowed something through). Unfortunately this does me no good in identifying what exactly the infection is that may have come with it.

ComboFix 10-12-28.03 - Tom 12/29/2010 7:19.3.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1539 [GMT -8:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
Command switches used :: c:\users\Tom\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\SysInfo.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SysInfo


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-29 15:26 . 2010-12-29 15:28 -------- d-----w- c:\users\Tom\AppData\Local\temp
2010-12-29 15:26 . 2010-12-29 15:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-28 14:46 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-28 14:46 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Microsoft Antimalware\Definition Updates\{A9C95022-1F2D-44F5-916B-CAF98E2E45A3}\mpengine.dll
2010-12-27 12:02 . 2010-12-27 12:02 -------- d-----w- c:\program files (x86)\Microsoft Antimalware
2010-12-27 12:02 . 2010-12-27 12:02 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\progra~3\Spybot - Search & Destroy
2010-12-25 07:03 . 2010-12-25 07:06 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-12-24 15:09 . 2010-12-24 15:09 -------- d-----w- c:\users\Tom\AppData\Local\Sunbelt Software
2010-12-24 15:07 . 2010-12-25 06:39 -------- d-----w- c:\progra~3\Lavasoft
2010-12-24 13:58 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-24 13:58 . 2010-12-24 13:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-24 09:58 . 2010-11-10 05:35 8199504 ----a-w- c:\progra~3\Microsoft\Windows Defender\Definition Updates\{13846A47-A914-4074-A346-5DF6B7B89EE6}\mpengine.dll
2010-12-14 20:13 . 2010-11-02 06:23 300544 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2010-12-06 01:49 . 2010-12-06 01:49 -------- d-----w- c:\progra~3\ATI
2010-12-06 01:49 . 2010-12-06 01:49 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files (x86)\ATI Technologies
2010-12-06 01:43 . 2010-12-06 01:43 -------- d-----w- c:\program files\ATI
2010-12-06 01:42 . 2010-12-06 01:46 -------- d-----w- c:\program files\ATI Technologies
2010-12-06 01:42 . 2010-12-06 01:42 -------- d-----w- C:\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 02:53 . 2010-06-08 14:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-10-27 03:08 . 2010-10-27 03:08 16281600 ----a-w- c:\windows\SysWow64\atioglxx.dll
2010-10-27 02:55 . 2010-10-27 02:55 547328 ----a-w- c:\windows\SysWow64\aticfx32.dll
2010-10-27 02:50 . 2010-10-27 02:50 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2010-10-27 02:49 . 2010-10-27 02:49 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2010-10-27 02:49 . 2010-10-27 02:49 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2010-10-27 02:46 . 2010-10-27 02:46 4020736 ----a-w- c:\windows\SysWow64\atidxx32.dll
2010-10-27 02:35 . 2010-10-27 02:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2010-10-27 02:35 . 2010-10-27 02:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2010-10-27 02:33 . 2010-10-27 02:33 5441536 ----a-w- c:\windows\SysWow64\aticaldd.dll
2010-10-27 02:28 . 2010-10-27 02:28 4094464 ----a-w- c:\windows\SysWow64\atiumdag.dll
2010-10-27 02:14 . 2010-10-27 02:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2010-10-27 02:14 . 2010-10-27 02:14 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2010-10-27 02:14 . 2010-10-27 02:14 27136 ----a-w- c:\windows\SysWow64\atigktxx.dll
2010-10-27 02:13 . 2010-10-27 02:13 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2010-10-27 02:13 . 2010-10-27 02:13 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2010-10-27 01:50 . 2010-10-27 01:50 3460096 ----a-w- c:\windows\SysWow64\atiumdva.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2010-10-27 01:37 . 2010-10-27 01:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-26_09.31.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2010-12-28 16:36 63760 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-01 05:21 . 2010-12-28 16:36 16076 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-147557750-1053090812-367614911-1000_UserData.bin
+ 2010-03-26 05:30 . 2010-03-26 05:30 40832 c:\windows\system32\drivers\MpNWMon.sys
- 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-01 04:17 . 2010-12-28 23:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-01 04:17 . 2010-12-28 23:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-01 04:17 . 2010-12-25 16:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-01 04:17 . 2010-12-28 23:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-01 04:17 . 2010-12-25 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-19 19:04 . 2010-12-28 16:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-19 19:04 . 2010-12-28 16:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-19 19:04 . 2010-12-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 12:40 . 2010-12-25 17:49 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 12:40 . 2010-12-27 13:18 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 12:40 . 2010-12-27 13:18 51200 c:\windows\inf\infpub.dat
- 2006-11-02 12:40 . 2010-12-25 17:49 51200 c:\windows\inf\infpub.dat
- 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-12-29 15:28 . 2010-12-29 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-12-26 09:13 . 2010-12-26 09:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-12-29 15:28 . 2010-12-29 15:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-12-27 06:22 . 2010-11-13 02:53 157472 c:\windows\SysWOW64\javaws.exe
- 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\javaw.exe
+ 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\javaw.exe
- 2010-11-07 11:39 . 2010-09-15 12:50 145184 c:\windows\SysWOW64\java.exe
+ 2010-12-27 06:22 . 2010-11-13 02:53 145184 c:\windows\SysWOW64\java.exe
+ 2006-11-02 15:45 . 2010-12-28 16:36 157862 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 12:46 . 2010-12-28 16:39 613032 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2010-12-26 09:20 613032 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2010-12-28 16:39 107990 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2010-12-26 09:20 107990 c:\windows\system32\perfc009.dat
+ 2009-10-03 04:54 . 2010-10-19 20:51 270720 c:\windows\system32\MpSigStub.exe
- 2009-10-03 04:54 . 2010-10-19 18:41 270720 c:\windows\system32\MpSigStub.exe
+ 2010-03-26 05:30 . 2010-03-26 05:30 173984 c:\windows\system32\drivers\MpFilter.sys
+ 2010-12-27 12:02 . 2010-12-27 12:02 301056 c:\windows\Installer\3415cb.msi
+ 2010-12-27 12:02 . 2010-12-27 12:02 335360 c:\windows\Installer\3415c6.msi
+ 2006-11-02 12:40 . 2010-12-27 13:18 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2010-12-25 17:49 143360 c:\windows\inf\infstrng.dat
+ 2010-12-27 13:05 . 2010-12-27 13:05 2283008 c:\windows\Installer\61d802.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"B Register c:\program files (x86)\DivX\DivX Plus DirectShow Filters\DivXDecH264.ax"="c:\windows\system32\rundll32.exe" [2006-11-02 44544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-11-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-31 55024]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-01 867064]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-27 203776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-27 8012288]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-27 287232]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-06-13 316544]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-05-09 33160]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-06-04 204288]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF18827.cfxxe" [X]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 2342800]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 2314120]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]
.
------- Supplementary Scan -------
.
uLocal Page = %SystemRoot%\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\bnzr58a6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2010-12-29 07:33:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-29 15:33
ComboFix2.txt 2010-12-27 11:10
ComboFix3.txt 2010-12-26 09:33

Pre-Run: 252,964,798,464 bytes free
Post-Run: 252,959,793,152 bytes free

- - End Of File - - 52B0FD0BE0E93F39390EA693DF538A6F



Kaspersky online scanner: I went to the link and ran this in 32bit Internet Explorer run as admin as per directions. After the lengthy database update downloaded, the program stopped. From perusing Kaspersky's main site, it appears that this Kaspersky Online Scanner utility is offline until they are ready to deploy an improved version. http://www.kaspersky.com/virusscanner

 

[Tecnot]

Are you not seeing anything here Bobbye? A lot of people have been having this issue, and none of them have been able to find the source or remove it. As for another possible lead, the timing of this report seems to coincide well with the stolen identity information in real time:

http://www.microsoft.com/technet/security/advisory/2488013.mspx

As this has been ongoing for awhile with no remedy in sight, I've decided to format and reinstall. Ugh, the lesser of two evils I guess. I've ordered recovery software for 20 bones to arrive in a week, straight from the manufacturer of my PC (there is a recovery partition, however I don't trust that to be clean).

Before I do that, however, I'd like to back up recent data if it's possible to do so safely (things like wedding photos, mp3s I've purchased, bookmarks, etc onto Dvd). Could you please take me through the steps necessary to undo and remove whatever it is that has been done by ComboFix as you tried to help me search for and pinpoint the malware.

 

[Bobbye]

I use torrent technology through utorrent rarely for legitimate purposes (like when a software developer distributes via torrent, but their proprietary software fails to perform well.)

Regarding uTorrent:
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. :

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

I did not see any indication of malware in these logs.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html