Keylogger

[TK87]

Thanks for taking the time to read this first off.

I recently have been hacked, and had one of my passwords changed without my consent. I've take and read all the steps and have downloaded all the programs ran them step by step.

I've ran AVG, along with the other programs suggested on here. I've seen 3 infections, and sometimes several warnings while running these scans. The infection that kept coming up was Trojan.

Here is my log for SuperAntiSpyware:

Generated 06/07/2009 at 03:34 AM

Application Version : 4.26.1004

Core Rules Database Version : 3928
Trace Rules Database Version: 1871

Scan type       : Complete Scan
Total Scan Time : 00:52:13

Memory items scanned      : 446
Memory threats detected   : 0
Registry items scanned    : 3866
Registry threats detected : 2
File items scanned        : 81872
File threats detected     : 16

Trojan.Agent/Gen-Virut
   [svc] C:\PROGRAM FILES\THUNM\TESTABD.EXE
   C:\PROGRAM FILES\THUNM\TESTABD.EXE
   [svc] C:\PROGRAM FILES\THUNM\TESTABD.EXE

Adware.Tracking Cookie
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'donnell@adrevolver[1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][2].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'donnell@atwola[2].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][2].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ko'donnell\Cookies\12ko'[email protected][1].txt
   E:\Documents and Settings\12ksutera\Local Settings\Temp\Cookies\12ksutera@insightexpressai[2].txt
   E:\Documents and Settings\ldrenth\Cookies\[email protected][1].txt
   E:\Documents and Settings\ldrenth\Cookies\[email protected][2].txt
   E:\Documents and Settings\ldrenth\Cookies\ldrenth@atwola[1].txt

Trojan.Unclassified/RegSVR-Fake
   E:\WINDOWS\SYSTEM\REGSVR.EXE

Here is the Mbam-log:

6/7/2009 11:44:04 AM
mbam-log-2009-06-07 (11-44-04).txt

Scan type: Quick Scan
Objects scanned: 74420
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\T\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\T\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_09_27 PM_125.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_09_55 PM_156.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 05_20_35 PM_875.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 06_05_04 PM_109.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Log\2009 Jun 06 - 06_16_39 PM_671.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\T\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Here is the Hijackthis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\ThunM\testabd.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5647 bytes

[evilfantasy]

My first suggestion is to reformat and reinstall. Your computer is infected with Virut which is normally incurable.

The logs show that you are infected by an infection called Virut or Sality. Virut/Sality is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus.

There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise and Virut and other File infectors - Throwing in the Towel? for more information. 

Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.

Backing up files before formatting

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.

Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
 
-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/

Very important, do the following immediately or as soon as possible!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.
 
From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.

[TK87]

Ughh that reallllly sucks, I don't know how I could've gotten such a virus, this is my first time really getting one in 4 years too.

Thanks for the help I appreciate it.

I just dont understand how I could have gotten such a nasty virus in a matter of a seconds, I remember opening a bad link, and I immediately shutdown as fast as I could.

I guess it shows how careful I have to be after this.

[evilfantasy]

Yea...

Sorry and good luck!

[BC_Programmer]

Actually, as embarassing as it is for me to reveal this, I was infected with virut for over a month before I even had an inkling what was happening; so you might have had of for a few days already, or even longer! What thing that tipped me off eventually was it's habit of changing HTML files on me; my text editor kept saying it changed, I'd reload, and immediately it would say it again, so I knew something was up.

[evilfantasy]

I recently had someone report to me that the Dr Web LiveCD successfully cleaned Virut from a clients computer. * Not sure I would trust anything but a reformat and reinstall especially when being paid...

But it does make a little sense. The live CD is Linux based so you aren't actually using the Windows files giving it a better chance of actually repairing them. I would need a few more confirmations on that before actually believing it though.

[TK87]

I actually knew I used a bad link exited as fast as I could, turned my computer off immediately but apparently it did nothing. I was infected with this virus in 5 seconds or less I suppose, although I didn't know the severity of this particular virus.

I ran a full scan AVG the next day deleted everything I found, I figured I was in the clear but a week later password was changed. A big part was obviously my fault for not using the right amount of precautions I should have been using while browsing.

Not having any viruses for so long and feeling like I would never be dumb enough to get one I rarely used any addons to block out bad links. Welp here I am 

[evilfantasy]

It's still there for sure.

O20 - AppInit_DLLs: c:\progra~1\ThunM\testabd.dll

That is a clear sign that it has control. Whenever I see ThunMail or testabd.dll I know it's probably a lost cause.