Thanks for taking the time to read this first off.
I recently have been hacked, and had one of my passwords changed without my consent. I've take and read all the steps and have downloaded all the programs ran them step by step.
I've ran AVG, along with the other programs suggested on here. I've seen 3 infections, and sometimes several warnings while running these scans. The infection that kept coming up was Trojan.
Here is my log for SuperAntiSpyware:
Generated 06/07/2009 at 03:34 AM
Application Version : 4.26.1004
Core Rules Database Version : 3928
Trace Rules Database Version: 1871
Scan type : Complete Scan
Total Scan Time : 00:52:13
Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 3866
Registry threats detected : 2
File items scanned : 81872
File threats detected : 16
Trojan.Agent/Gen-Virut
[svc] C:\PROGRAM FILES\THUNM\TESTABD.EXE
C:\PROGRAM FILES\THUNM\TESTABD.EXE
[svc] C:\PROGRAM FILES\THUNM\TESTABD.EXE
Adware.Tracking Cookie
E:\Documents and Settings\12ko'donnell\Cookies\12ko'donnell@adrevolver[1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][2].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'donnell@atwola[2].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][2].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ko'donnell\Cookies\12ko'
[email protected][1].txt
E:\Documents and Settings\12ksutera\Local Settings\Temp\Cookies\12ksutera@insightexpressai[2].txt
E:\Documents and Settings\ldrenth\Cookies\
[email protected][1].txt
E:\Documents and Settings\ldrenth\Cookies\
[email protected][2].txt
E:\Documents and Settings\ldrenth\Cookies\ldrenth@atwola[1].txt
Trojan.Unclassified/RegSVR-Fake
E:\WINDOWS\SYSTEM\REGSVR.EXE
Here is the Mbam-log:
6/7/2009 11:44:04 AM
mbam-log-2009-06-07 (11-44-04).txt
Scan type: Quick Scan
Objects scanned: 74420
Time elapsed: 5 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\T\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\T\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_09_27 PM_125.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_09_55 PM_156.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_20_35 PM_875.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 06_05_04 PM_109.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 06_16_39 PM_671.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
Here is the Hijackthis log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%sR3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) -
http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CABO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\ThunM\testabd.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 5647 bytes