PDA

View Full Version : Reappearing Banker Trojan



SaintKargoth
2010-07-09, 01:59
I suspect something is hiding somewhere but i cant quite pin it down. here is my dds.


DDS (Ver_10-03-17.01) - NTFSX64
Run by User at 18:40:46.04 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8189.6111 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\system32\lsm.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\iWin Games\iWinTrusted.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG9\avgemc.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
mLocal Page = c:\windows\syswow64\blank.htm
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files (x86)\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files (x86)\d-link toolbar\dlinktb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~2\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - c:\program files (x86)\d-link toolbar\dlinktb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files (x86)\d-link toolbar\dlinktb.dll
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Octoshape Streaming Services] "c:\users\user\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\syswow64\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)" -"http://www.candystand.com/play/bombs-away"
mRun: [NWEReboot]
mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~2\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: D-Link Toolbar: {61874DFA-9ADF-44E5-8E61-F3913707E7D7} -
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [Skytel] Skytel.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
AppInit_DLLs-X64: avgrssta.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2009-10-1 269320]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2009-10-1 35536]
R1 AvgTdiA;AVG Free8 Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2009-10-1 317520]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files (x86)\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 iWinTrusted;iWinTrusted;c:\program files (x86)\iwin games\iWinTrusted.exe [2010-4-14 78104]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2009-10-1 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-10-2 35104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B350.tmp [2010-6-28 6144]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework64\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-07-06 16:58:45 0 d-----w- c:\program files (x86)\BabasChess
2010-07-04 07:00:32 453456 ----a-w- c:\windows\syswow64\d3dx10_42.dll
2010-07-04 07:00:32 1892184 ----a-w- c:\windows\syswow64\D3DX9_42.dll
2010-07-04 07:00:28 0 d-----w- c:\windows\syswow64\xlive
2010-07-04 07:00:19 0 d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2010-07-04 00:57:39 43520 ----a-w- c:\windows\syswow64\CmdLineExt03.dll
2010-07-04 00:54:44 0 d-----w- c:\program files (x86)\Ground Control II
2010-07-03 10:30:53 0 d-----w- c:\users\user\appdata\roaming\Microsoft Games
2010-07-03 10:30:52 0 d-----w- c:\users\user\appdata\roaming\NVIDIA
2010-07-03 10:12:29 0 d-----w- c:\program files (x86)\common files\Microsoft Games
2010-07-03 10:12:24 444776 ----a-w- c:\windows\syswow64\d3dx10_35.dll
2010-07-03 10:12:24 1358192 ----a-w- c:\windows\syswow64\D3DCompiler_35.dll
2010-07-03 10:12:23 3727720 ----a-w- c:\windows\syswow64\d3dx9_35.dll
2010-07-03 10:12:22 237848 ----a-w- c:\windows\syswow64\xactengine2_4.dll
2010-07-03 10:12:22 15128 ----a-w- c:\windows\syswow64\x3daudio1_1.dll
2010-07-03 10:12:16 81768 ----a-w- c:\windows\syswow64\xinput1_3.dll
2010-07-03 10:12:16 443752 ----a-w- c:\windows\syswow64\d3dx10_33.dll
2010-07-03 10:12:16 3495784 ----a-w- c:\windows\syswow64\d3dx9_33.dll
2010-07-03 10:12:16 1123696 ----a-w- c:\windows\syswow64\D3DCompiler_33.dll
2010-07-03 09:21:46 0 d-----w- c:\program files (x86)\Microsoft Games
2010-07-03 06:32:48 0 d-----w- C:\NeverwinterNights
2010-06-28 19:19:27 0 d-----w- c:\users\user\appdata\roaming\ChessBase
2010-06-28 19:18:52 0 d-----w- c:\program files (x86)\common files\ChessBase
2010-06-28 19:17:38 0 d-----w- c:\program files (x86)\ChessBase
2010-06-28 15:53:37 0 d-----w- c:\programdata\Sophos
2010-06-28 15:50:08 0 d-----w- C:\Sophos
2010-06-28 15:49:31 0 d-----w- C:\scss_10
2010-06-28 15:20:39 6144 ------w- c:\windows\system32\B350.tmp
2010-06-28 15:19:41 6144 ------w- c:\windows\system32\D39B.tmp
2010-06-28 11:04:37 6144 ------w- c:\windows\system32\4DF4.tmp
2010-06-28 11:03:27 6144 ------w- c:\windows\system32\3CE3.tmp
2010-06-28 11:03:21 0 d-----w- c:\program files (x86)\Sophos
2010-06-28 10:23:50 0 d-----w- c:\programdata\PMB Files
2010-06-27 23:34:52 0 ----a-w- c:\windows\syswow64\config.nt
2010-06-27 23:33:58 0 d-----w- c:\programdata\Alwil Software
2010-06-27 23:33:58 0 d-----w- c:\program files\Alwil Software
2010-06-24 06:46:27 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-06-24 06:46:27 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-06-24 06:46:27 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 06:46:27 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 06:46:27 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 06:46:27 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-06-24 06:46:27 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-06-24 06:46:27 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 06:46:27 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-06-24 06:46:27 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 22:30:57 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2010-06-23 22:30:57 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-23 22:30:57 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 22:30:57 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2010-06-16 19:27:21 0 d-----w- c:\windows\syswow64\%ProgramW6432%

==================== Find3M ====================

2010-07-08 21:52:20 97013 ----a-w- c:\programdata\nvModes.dat
2010-06-28 08:44:34 22754 ----a-w- C:\out.dat
2010-06-28 04:14:41 41690 ----a-w- c:\windows\DIIUnin.dat
2010-06-07 01:53:30 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-07 01:53:30 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-07 01:53:30 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-02 14:31:07 35536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2010-06-02 14:31:07 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2010-05-26 17:23:46 48128 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 17:06:41 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-26 15:10:41 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-04 06:56:19 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 06:51:49 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 06:51:48 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-04 05:59:11 1209344 ----a-w- c:\windows\syswow64\urlmon.dll
2010-05-04 05:58:07 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-05-04 05:56:49 611840 ----a-w- c:\windows\syswow64\mstime.dll
2010-05-04 05:56:28 5950976 ----a-w- c:\windows\syswow64\mshtml.dll
2010-05-04 05:56:25 599040 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-05-04 05:56:25 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-05-04 05:55:56 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-05-04 05:55:42 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-05-04 05:55:42 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-05-04 05:55:41 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-05-04 05:55:41 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-05-04 05:55:41 11076096 ----a-w- c:\windows\syswow64\ieframe.dll
2010-05-04 05:55:37 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-05-04 05:01:59 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-04 04:31:05 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-05-04 04:30:58 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-05-04 04:30:19 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-05-01 18:20:44 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-05-01 18:20:44 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-05-01 18:20:44 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-05-01 18:20:44 145184 ----a-w- c:\windows\syswow64\java.exe
2010-05-01 14:39:56 2752000 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\syswow64\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\syswow64\xliveinstall.dll
2010-04-23 14:33:28 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-23 14:13:55 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-12-05 08:10:40 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-04-07 22:59:06 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-04-07 22:59:06 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-04-07 22:59:06 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-04-04 17:41:08 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-08 00:55:09 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2010-04-08 00:55:09 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2010-04-08 00:55:09 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-16 16:23:11 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-01 02:33:23 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-05 00:13:48 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-10-05 00:13:48 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-10-05 00:13:48 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:41:07.99 ===============

I appologize for not blanking out the hosts file link i didnt see it until afterwards and it seems suspicious.

shelf life
2010-07-17, 00:22
Hi,

Your log is a few days old. If you still need help post back.

SaintKargoth
2010-07-17, 05:05
Yes I still need help. I have downloaded GMER already if you wish me to rerun DDS again I shall do that as well. I had an online game password that was stolen so I'm pretty sure i had a keylogger but ive yet to find it.

shelf life
2010-07-17, 14:58
ok. Lets see if malwarebytes can dig anything up first.

Passwords can be stolen other ways besides having resident malware on board your machine. You should also visit the games main website/forum/FAQ etc, somewhere there probably is information on what to do if you think your password has been stolen and how to prevent it in the future.

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

SaintKargoth
2010-07-17, 20:10
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4304

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/17/2010 1:07:43 PM
mbam-log-2010-07-17 (13-07-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 301198
Time elapsed: 58 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life
2010-07-18, 17:06
That result cant look any better. You can keep Malwarebytes. The free version must be updated manually and a scan started manually.
You can get another opinion for malware by doing the online scan, if all looks good then you should change your password that was stolen if you havent already.:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

SaintKargoth
2010-07-18, 19:51
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e4b61084f0404540a80d979cb8d2c48c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-18 04:44:25
# local_time=2010-07-18 12:44:25 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 9088544 9088544 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 21716984 21716984 0 0
# compatibility_mode=5892 16776574 100 56 21718933 116066134 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=186791
# found=0
# cleaned=0
# scan_time=4036

Is it possible they got in and got out?

shelf life
2010-07-18, 23:42
Is it possible they got in and got out?
Its not necessary to get in. you could have been redirected to a bogus site in a phishing attempt or a link in a blog, a malcicous web page etc. Maybe your password was a easy guess. In any case i dont see any evidence in the form of files that indicate a trojan or password stealing software was installed on your machine.

Here are some guidelines for creating strong passwords;

At least fifteen (15) characters in length.
Does not contain your user name, real name, organization name, family member's names or names of your pets.
Does not contain your birth date.
Does not contain a complete dictionary word.
Is significantly different from your previous password.


Should contain three (3) of the following character types.

* Lowercase Alphabetical (a, b, c, etc.)
* Uppercase Alphabetical (A, B, C, etc.)
* Numerics (0, 1, 2, etc.)
* Special Characters (@, %, !, etc.)


A article here. (http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/)

If you find them stolen again after a change then post back.