[headoperator]

Around two months ago my wife had new solid state Speed Demon hard drives installed on my computer by my brother in law who is in IT. At the time I didn't know that she was leaving that weekend and I was soon served divorce papers. After the turmoil and emotion calmed down I became suspicious as to why she would want to have new hard drives installed on my computer just days before she had planned to leave, the old one was full so at the time I thought she was doing it to help out the kids with thier homework and games. But they had thier own computer and I know she is very computer savvy and caught the kids doing some thing's they shouldn't have. But she told me it was because they left thier computer on and she found it. Ha she was monitoring thier computer and mine. So I started asking around and someone strongly suggested I install an antikeylogger on my computer. I purcharsed Zemana anti keylogger and it immediatly blocked 2 .dll files from Awareness technologies. The files were found at c:\windows\system32\uacbdgp\mck_vdgcnf.dll and the other .ddl file was same locaton but was shim_mtfwea.dll and both identified as being from Awareness technologies. I did some research and found out about webwatcher. So I looked up some info and it seemed that the best way to find the program was with Spybot SD, however I've tried numerous scans and I am unable to find it,but Zemana does. I did a full scan to search even hidden files, and as I sat there and watched it scan I saw one of the files pop up that said KGB keylogger, however thier were no files in the scan shown to be a threat. So now I'm paranoid as to what is on my computer and how to effecctively remove it. I know on one website it said to go to task manager and stop certain programs with .exe, when I tried to stop the process it said I did not have adminstrator rights. ARRRRGGGHHH. So what the hell is going on. If someone can help I'd appreciate it. BTW I did do a search with CMD with the file directory I typed the above paths and did not find either one. On another another note Zemana also blocked msmsgs.exe, I went to config and unchecked the box next to it. So I'm not sure that was a threat or not?

[Greycoat]

I can only speak for myself, but if it was I in the situation, I would back up my data, i.e. documents, pictures, music, and video, only, then format my system hard drive and put a fresh install of my OS on the computer, followed with upgrades, and fresh install of my apps. That would be the only way for me to no longer be "paranoid".

[Flashorn]

Hey headoperator !

Welcome to PCWorld Community !

Could w have a few details on the PC pls. Are you running Windows 7 or other?

Go to Start > Control Panel > Folder Options. A screen will appear. Click on the VIEW tab. In the middle of that screen there will be two radio
buttons. Click on the one that says Show hidden files and hard drives. Click Apply and OK. We will reverse this procedure when we are finished.

IF on Windows Vista or 7 pls, Right Click on all program .exe and "Run as Administrator" from the context menu.

Download and run this files cleaner Download . Could you copy and paste the log in your next reply pls.



Next I would suggest you download, install and update the definitions to MalwareBytes' AntiMalware from here : Download@MajorGeeks
You will be redirected to MajoGeeks for your download that should start in a few seconds.

Do a Full scan of your PC. This will take some time.

Please post the ensuing log (copy and paste) in your next reply.

Once that scan done, Download to your Desktop and run RogueKiller Download@Author's Site
DO NOT attempt to FIX anything yet. There should be a a text file next to the .exe. Copy and paste that text file pls



Give us feedback pls.



FLASHORN.

[headoperator]

Flashhorn thanks for the advice I'm running Windows seven. I did the folder options suggestion but I don't understand how to go about this instruction,
"IF on Windows Vista or 7 pls, Right Click on all program .exe and "Run as Administrator" from the context menu." Also the first link for the files clean download took me to a website forum so I wasn't sure which file to download. At the moment I am doing the Malwarebytes full scan. I'll let you know how that goes. Thanks so much for your help.

[Flashorn]

Hey headoperator !

Sorry for that link.

Here is a good one and instructions :

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all you work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Now, whenever w are using Vista and Windows 7, the correct way to either start a program or install a program is to Right Click on the program or .exe and from the context menu, we choose the
option to "Run as Administrator". This will ensure that Windows starts correctly that program. You should get a UAC prompt and have to click on the Yes or Continue button on that prompt



This is just an example of the prompt you should b getting . It will say TFC.exe in place of Updater.exe.





Any other questions, pls. ask before doing any work.



FLASHORN.

[headoperator]

This is the log after running Malware

Database version: v2012.08.04.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Admin :: HOMEDESK [administrator]

Protection: Enabled

8/4/2012 5:05:58 PM
mbam-log-2012-08-04 (17-05-58).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 369541
Time elapsed: 30 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[headoperator]

Well I tried to run as adminstrator and apparently there is a pasword unbeknownst to me so I ran it under my own thsi is what I got.
User: Rich

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 2.00 mb

[Flashorn]

Hey headoperator !

So, you're working with XP but, at least it's up to date with SP3.

In addition to the scans and cleaning I asked for, could you run this scan also.

Download and Run,no installs as this is just a .exe :

HijackThis from here : http://sourceforge.net/projects/hjt/

When you start the tool, you will see the first option "do a system scan and save a log"

Save it to your desktop. Open the log (notepad) and copy & paste the results of that scan in your next post pls.

Your Internet Explorer browser is out of date. Use Internet Explorer 8 instead :
Download from here : http://www.microsoft...ails.aspx?id=43

Do you use any other browser othr than Internet Explorer ?
If so, which one ?

Is the PC behaving in a particular way or are you having problems with it (ie. accessing certain web sites, programs not opening , Task Manager not responding)



FLASHORN.

[Flashorn]

headoperator, on 04 August 2012 - 03:28 PM, said:

Well I tried to run as adminstrator and apparently there is a pasword unbeknownst to me so I ran it under my own thsi is what I got.
User: Rich

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 2.00 mb

Hey headoperator !

In XP there are no such entries as Run as Administrator.
I thought you were running Vista or Windows 7. Shows me to ask before I jump.

There's no obvious files in that cleaning.

The MBAM scan didn't come up with anything either.

I still need the log from RogueKiller . Could you run that either before or after you run HijackThis pls.


FLASHORN.

[headoperator]

sorry for the confusion, but when I log on under my profile task manager will only show the programs running. If I log on under Admin task manger will show all the tabs with process, images, and cpu usage. If I try to stop a certain process in the task manager it will not allow me to. I am going to run the rogue killer now. I will let you know. Thanks

[headoperator]

BTW TFC would not run it just kept locking up the computer

[headoperator]

Flashhorn content advisor will not allow me to download rogue killer not sure whats going on there.

[Flashorn]

Hey headoperator !

Boot in Safe Mode with internet. Do you see the Administrator account?
If so, boot in that account.
try to access the Task Manager and stop those processes.
Now, still in safe mode, try to access the net and download RogueKiller

In Internet Explorer, on the Tools menu, click Internet Options.
What do you see in the Content tabs ?
Is the Settings available to use (to click on it) or do you just see Enable?

Can you download and run HijackThis ?



FLASHORN.

[headoperator]

hello flashhorn i was able to run Roguekiller and it found quite a few things. However i cant figure out how to paste them here for you to look at. Four of them are svchost.exe and the other is smilebox.exe which is I thought something my daughter downloadrd. svchost is at c:\WINDOWS\system32\svchost.exe Under Drivers there were a whole host of antilog sys32

This post has been edited by headoperator: 04 August 2012 - 05:50 PM

[headoperator]

Everytime i click on the link for hijack this it opens the browser then immediatly closes all my browsers. Dont know why?

[Flashorn]

Hey headoperator !

Are you able to surf the web without restrictions?
Did you download and run in Safe Mode or Normal Mode?

You should have a Notepad .txt on your desktop. Just copy and paste
in your next reply. If you don't see it on the Desktop then restart the program
and click on the Report button. It will generate a notepad.txt that you can copy and paste here.

In the Registry tab, could you expand the column and give me the Whole path to those files pls.

Could I also have the HijackThis log. This is the one I'm waiting for.


FLASHORN.

[headoperator]

Finally figured it out here is the registry from Roguekiller. I'll start on Hijack this now.

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rich [Admin rights]
Mode: Scan -- Date: 08/04/2012 20:40:45

¤¤¤ Bad processes: 5 ¤¤¤
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermThr]
[SUSP PATH] SmileboxTray.exe -- C:\Documents and Settings\Rich\Application Data\Smilebox\SmileboxTray.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermThr]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [DrvNtTerm]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [DrvNtTerm]

¤¤¤ Registry Entries: 3 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : SmileboxTray ("C:\Documents and Settings\Rich\Application Data\Smilebox\SmileboxTray.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1957994488-1275210071-725345543-1005[...]\Run : SmileboxTray ("C:\Documents and Settings\Rich\Application Data\Smilebox\SmileboxTray.exe") -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[37] : NtCreateFile @ 0x80573DFB -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74669D2)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805E092A -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466EA8)
SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74655E4)
SSDT[63] : NtDeleteKey @ 0x8059A5CD -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466566)
SSDT[65] : NtDeleteValueKey @ 0x805991EC -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466438)
SSDT[66] : NtDeviceIoControlFile @ 0x80588ABD -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74671A0)
SSDT[97] : NtLoadDriver @ 0x805B06F6 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74651E0)
SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7464D3C)
SSDT[116] : NtOpenFile @ 0x80579E8D -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466CC2)
SSDT[119] : NtOpenKey @ 0x80572BDF -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746698C)
SSDT[122] : NtOpenProcess @ 0x8057BB80 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7465BC4)
SSDT[128] : NtOpenThread @ 0x80596A0F -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7465EF0)
SSDT[137] : NtProtectVirtualMemory @ 0x80582620 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466E68)
SSDT[180] : NtQueueApcThread @ 0x8059A8E8 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746590A)
SSDT[210] : NtSecureConnectPort @ 0x80587C11 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466E00)
SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7464A68)
SSDT[240] : NtSetSystemInformation @ 0x805B2328 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7465576)
SSDT[247] : NtSetValueKey @ 0x8057B4EF -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7466632)
SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746630E)
SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74646BA)
S_SSDT[7] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74633C6)
S_SSDT[13] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746260C)
S_SSDT[122] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7462506)
S_SSDT[191] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463684)
S_SSDT[227] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7462B82)
S_SSDT[233] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7462568)
S_SSDT[237] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7462E42)
S_SSDT[292] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74628C6)
S_SSDT[298] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746310A)
S_SSDT[307] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463F3A)
S_SSDT[383] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7461A14)
S_SSDT[387] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB74642BE)
S_SSDT[416] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7461CF2)
S_SSDT[460] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463BE4)
S_SSDT[475] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463EC4)
S_SSDT[476] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463EB2)
S_SSDT[491] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7461FA2)
S_SSDT[502] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746223E)
S_SSDT[509] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7463952)
S_SSDT[549] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB7461596)
S_SSDT[552] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746174E)
S_SSDT[570] : Unknown -> HOOKED (\??\C:\WINDOWS\system32\drivers\AntiLog32.sys @ 0xB746172C)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: INTEL SSDSC2CT180A3 +++++
--- User ---
[MBR] 1390ac586766caaac6b1d4b7e7b03e50
[BSP] 2285a82252c50cd258aefd9d73516469 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 86016 | Size: 164412 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EARS-00Y5B1 +++++
--- User ---
[MBR] 9e66e0d55ab6e84ece13a98243db89c9
[BSP] a2efa5c9cdcde296bb8c85e57c5f1490 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[Flashorn]

headoperator, on 04 August 2012 - 05:54 PM, said:

Everytime i click on the link for hijack this it opens the browser then immediatly closes all my browsers. Dont know why?

Hey headoperator !

Could you tell me which browser other than Internet Explorer you have installed?

When you say it closes all your browsers, do you mean it closes all of your opened tabs in your browser
OR do you have internet Explorer open all sites in different windows (like more than one browser opened at the same time).

Try in running in Safe Mode if you can't download and run the program in safe mode also.

Booting in Safe Mode :

Reboot your PC. When you see the black screen just before the Windows logo or your PC's manufacturer's logo, PRESS on the F8 Key
repeatedly until you see black screen with options to choose (with the Arrow Keys) Safe Mode - Safe Mode with Internet. This is the one
you want. With the Arrow Keys, press down to choose the option Safe Mode with Internet. Now, click on the Enter button.

Your screen will look like it's stretched and out of sinc but you can still do the work needed.



FLASHORN.

[headoperator]

Sorry for the delay. I reached my maximum post for the day then had to work, so I've been away. I tried to download HiJack this in both safe and normal modes with the same result. As soon as I click on the link to download, Internet Explorer closes immediately. BTW sorry for the confusion for that is the only browser I'm running. I'm starting to feel I may need to scrap my computer and get a laptop that I can control its whereabouts. My question is can my router be hacked by my STBX and have the same keylogger installed? I've changed out my router and password protected it. But still concerned it can be hacked. I have a USB flash drive that I kept a few documents on. Today when I opened it I found some folders that were not on there last time I used it they were set up for a WAN connection one folder was SMRTNTKY and the other was ezsetup.exe. I know those folders were not there last time I used that flash drive. So how in the world did they get there? Was my computer setup to automatically load those folders next time I used my flash drive? I'm freaking out like my every move is being tracked somehow. One of the folders had a notepad log of trying to connect with WAN. I can't access it now but when I can I will post that note pad.
Thanks

[Flashorn]

Hey headoperator !

The scan you have given me so far indicate that you do have a antilogger installed but, nothing else pops out.
It did what needed to be done with those bad processes and removed them.
Smilebox is considered as Adware and thus, most anti-malware will ask you to delete those files.

OK, for HjT, IF you can, download from another PC (preferably clean of malware) and copy the .exe to a USB Key
(flashdrive) You could then plug in the USB key and run it from there. It would really help if I could see that scan.

You can still use that USB drive but, format the drive to make sure it's free of whatever you think might be on there.
The new files you are seeing on that drive are from a backup of your router's configuration. They are not essential and
can be deleted .
IF you format that drive, you will lose all data written to it. I think in your case , that might be a good idea.

To format a USB drive,

Plug in the drive to be formatted in any USB connector.
Wait for it to be recognized by the OS (PC). will make a connection sound.
Go to Computer.
Locate drive in question.
Right Click on drive and choose "Format" from the ensuing menu.
Don't chang any of the settings. It will simply format in FAT 32 format.
Click on the Start button.
You will get a warning asking you if you want to format and inform you that you will lose all data.
Click on the OK button.
This will take a few seconds to complete after which, a pop-up will say that the operation has finished.
You now have a fresh USB drive.

As for the router, it's always possible to hack those encryption codes but, seeing that you have changed the entire unit,
I think it would be unlikely that your wife would have access to this new device unless she is still able to visit when you're
not there. Are you connected by cat5 wire or wireless ?

The msmsgs.exe is Messenger from Microsoft. It could be that the webwatcher program used this messenger service
to communicate it's findings. Since it was stopped, it shouldn't be a worry anymore.

Now, could I get the answers to these questions pls.
Is the PC behaving in strange ways?
Are you able to surf unhindered ?
Are there programs that you cannot open or denied access too ?
Did you update Internet Explorer to # 8? (you should)



FLASHORN.