Something sinister?

[buzzkilt]

Hello. I've recently asked a couple questions from the members here, and they've have been really great with their responses, so here I am again. Only this time with something that may be a bit more ominous.

In the past couple of days I had started to notice some strange files showing up in some of my system folders. Things like NTUSER.DAT, ntuser notepad's, the desktop.ini and .recently-used.xbel. Now these were showing up in my Administrator folders, User folders, Documents folder, Pictures, Video .. etc.

Now knowing that I had made no changes whatsover to my system, I became somewhat intrigued/paranoid. I ran my anti-virus program, malware scan and TDSSkiller. I was only able to locate 2 low-level malware infections from a couple of years ago (which I removed).

I then turned back on hidden files and folders and hide protected files (why they were off, I have no clue) and looked to see if the exposed files above were still showing. They were. I went through regedit and made sure that the hide key #'s were correct. They were, and the files above were still showing. So only then by right-clicking and switching them to read-only and hidden, did they go hidden again.

The .recently-used.xbel had been modified a couple of days ago, but not by me. And, again, I did not switch my hidden settings off to expose the above files. They were set to keep all files hidden.

Does this sound like it could be a possible keylogger?

Any help appreciated.

I do have a Hijack This report log, if someone would like to see it.

[Kestrel13!]

None of those files you mentioned are malware and it doesn't "smell" of malware at all but if you would like for me to rule that out you will need to follow the below instructions.

READ & RUN ME FIRST. Malware Removal Guide

[buzzkilt]

Okay, here are my logs and thank you for your help.

[Kestrel13!]

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 8 detections:

• [RUN][SUSP PATH] HKLM\[...]\Run : DvhhCCFbLujqW.exe (C:\Documents and Settings\All Users\Application Data\DvhhCCFbLujqW.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:Default User.WINDOWS1]HKCU[...]\Run : (C:\WINDOWS1\TEMP\hkhwpxs.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:Default User.WINDOWS1]HKCU[...]\Run : Windows Resurections (C:\WINDOWS1\TEMP\hkhwpxs.exe) -> FOUND
• [RUN][ROGUE ST] [ON_E:Default User.WINDOWS1]HKCU[...]\Run : Diagnostic Manager (C:\WINDOWS1\TEMP\15057346.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:User]HKCU[...]\Run : reader_s (C:\Documents and Settings\User\reader_s.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:User]HKCU[...]\Run : (C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:User]HKCU[...]\Run : Windows Resurections (C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe) -> FOUND
• [RUN][ROGUE ST] [ON_E:User]HKCU[...]\Run : Diagnostic Manager (C:\DOCUME~1\User\LOCALS~1\Temp\640057346.exe) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
• O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
• O4 - HKLM\..\Run: [DvhhCCFbLujqW.exe] C:\Documents and Settings\All Users\Application Data\DvhhCCFbLujqW.exe

After clicking Fix exit HJT.


Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Documents and Settings\All Users\Application Data\DvhhCCFbLujqW.exe
C:\WINDOWS1\TEMP\hkhwpxs.exe
C:\WINDOWS1\TEMP\15057346.exe
C:\Documents and Settings\User\reader_s.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe
C:\DOCUME~1\User\LOCALS~1\Temp\640057346.exe
C:\Documents and Settings\User\Local Settings\Application Data\couponamazing
C:\Program Files\Common Files\Spigot
C:\Documents and Settings\All Users\Application Data\DvhhCCFbLujqW.exe
C:\Documents and Settings\All Users\Application Data\blekko toolbars
C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
C:\WINDOWS\Tasks\ParetoLogic Registration.job

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchSettings"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{099EF85B-3260-4b87-9239-33355EE6A548}]

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Now give Hitman a rerun and have it delete Malware Remnants and Potential Unwanted Programs.

Please give Ccleaner a run, not the registry scanner, just the cleaner itself, to be rid of many temp files.

Go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Run the new MGTools.exe and attach the new MGlogs.zip

Re run RogueKiller once more, just a scan and attach log please.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[buzzkilt]

Before I go any further, during the process of running OTM it moved 6 processes under the title of "Processes Killed". Then the program just sat there. There was no prompt to reboot or any indication that it was done, other than the hour glass timer turned into an I type slash. I gave it an hour to see if something else would happen, but it did not. So I had to reboot the pc by switching off the power. Everything then started up fine, but there was no .log file to be found in the _OTM heirarchy of folders. I did manage, however, to jot everything down by hand before I manually restarted the computer.

Should I proceed to the next step?

[Kestrel13!]

Quote:

Should I proceed to the next step?

Please..

[buzzkilt]

Problems incurred -

- during the run of MG Tools, I could not locate O4 - HKLM\..\Run: [DvhhCCFbLujqW.exe] C:\Documents and Settings\All Users\Application Data\DvhhCCFbLujqW.exe to fix it. It wasn't listed.

- OTM created no data log in the C:\_OTM\MovedFiles folder hierarchy (attached is a txt of what I jotted down before restarting the pc)

- Hitman Pro showed 5 remnants (one I believe was my anti-virus definitions list, even though it is disabled), but wouldn't allow me to delete anything. It said I had to register & purchase.

Improvements are that the speed of the pc is quick and responsive again. I no longer see two quick black boxes in the upper left of the desktop screen upon start-up. They would briefly flash when the pc was first initializing. They were titled C\Windows\32cmd.exe or something to that effect. I would have listed this problem from the beginning, but it just started yesterday, after my initial post.

I'm not sure if I missed something with regards to HitmanPro. I dl'ed it from this site, and from the listing in the Malware Guide.

[Kestrel13!]

Seems like you did not run Ccleaner as I requested. Please do so. And some of our last fix failed, let's try again.


Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 5 detections:

• [RUN][SUSP PATH] [ON_E:Default User.WINDOWS1]HKCU[...]\Run : (C:\WINDOWS1\TEMP\hkhwpxs.exe) -> FOUND
• [RUN][PREVRUN] [ON_E:User]HKCU[...]\Run : reader_s (C:\Documents and Settings\User\reader_s.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:User]HKCU[...]\Run : (C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe) -> FOUND
• [RUN][SUSP PATH] [ON_E:User]HKCU[...]\Run : Windows Resurections (C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe) -> FOUND
• [RUN][ROGUE ST] [ON_E:User]HKCU[...]\Run : Diagnostic Manager (C:\DOCUME~1\User\LOCALS~1\Temp\640057346.exe) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
C:\WINDOWS\Tasks\ParetoLogic Registration.job
C:\WINDOWS1\TEMP\hkhwpxs.exe
C:\Documents and Settings\User\reader_s.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe
C:\DOCUME~1\User\LOCALS~1\Temp\640057346.exe


Folders to delete:
C:\Documents and Settings\User\Local Settings\Application Data\couponamazing

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Re run Hitman and have it delete Malware remnants please.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

[buzzkilt]

Thank you for your continued patience with me.

Alas, I found the HitmanPro trial license agreement and was able to have it delete the found remnants. I've attached the log from after the HitmanPro deletion process.

[Kestrel13!]

Re run RogueKiller again, just a scan please, and attach the log.

[buzzkilt]

When I ran this before, not this time (as I only scanned), I noticed that two of the entries became listed as error when deleting.

[buzzkilt]

The last attached RKReport was done with my files set back to hidden.

This is the report with the windows files not hidden. Sorry about that.

[Kestrel13!]

Please download Combofix to your desktop. Please refer to these instructions prior to running.

Attach log once done.

[buzzkilt]

ComboFix log.

[Kestrel13!]

Now we need to use ComboFix by sUBs

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
BFYQA

File::
c:\docume~1\User\LOCALS~1\Temp\BFYQA.exe
C:\WINDOWS1\TEMP\hkhwpxs.exe
C:\Documents and Settings\User\reader_s.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ry6628uo.exe
C:\DOCUME~1\User\LOCALS~1\Temp\640057346.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


Now rerun RogueKiller and attach that log too.

[buzzkilt]

Logs -

[Kestrel13!]

Dammit. Run Ccleaner (not the reg scanner just the cleaner itself) and then rerun RogueKiller again after reboot and attach the new log please.

[buzzkilt]

Edit. I didn't reboot. I'll be right back.

[buzzkilt]

Okay, redid the process. Ccleaner > reboot > RKiller > log

Just tell me where & when to run Ccleaner.

[Kestrel13!]

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

Also...


Run this and attach the results.

Using ESET's Online Scanner