I had a hacker in my computer over the summer & worked for 2 months with Bleeping Computer to regain control of my computer, but the hacker won & both our laptop and PC were so corrupted, that we had to junk them (thankfully, we were needing to upgrade our PC!). We bought a new laptop, installed BitDefender antivirus, malwarebytes, and Comodo Firewall. We were extremely careful when surfing the net, had all of the protection programs set at the highest level of security, updated all programs obsessively, and still, the hacker came back! I had my identity stolen, purchases made with my ATM card #, my checking account#, my Amazon.com hacked into & laptops shipped across the country (at my expense) and our email account hacked into and eventually taken over. It's been a nightmare! On Jan. 18th I had a computer technician come & try to clean my computer, but after 5 hours, although it killed him to admit it, he wasn't able to, and so he reformatted our hard drive & re-installed Windows. We have Verizon FIOS for internet & it's WEP protected, so he changed that password & we thought that we were good to go.
However, this past week I've noticed changes in the computer. I've been fighting this since June, so I'm way better at noticing small changes in our computer than I was 8 months ago! When I look at the Program & Windows files, there has been a lot of activity (files added or modified) since January 20th (only 2 days after our computer was wiped clean!). I was able to pull numerous Notepad documents that detailed changes to programs--Windows Updater, BitDefender, Malwarebytes, Comodo--files moved & renamed, and even a 100+ page Notepad document that detailed someone using our computer to download porn! I should also mention that the Computer Tech that reformatted our computer found a program for streaming videos/movies (Turion?) on our router. I've also noticed that my antivirus & antispyware programs were suddenly showing no issues with corrupt files, viruses, etc.
I also need to mention that this hacker was also able to get into my 10 year old's netbook that she just got for Christmas! So, today I contacted Verizon & they disconnected our wireless, so we just have our PC plugged in. But, the changes to my computer & the flood of activity continues! With each hour I'm locked out of more & more files (and where before I could change the permission on the file & either access it or delete it, I now can't.
Can you please, please help me? This has consumed my life for the past 8 months & it's wreaked havoc in every area!
I'm posting my DDS results & attaching the GMER scan. However, I need to note that when I extracted the GMER files & when the screen appeared, many of the options (system, sections, IAT/EAT, devices, modules, processes, threads, libraries, & show all) were not highlighted/checked. So I ran the scan with only the few that were checked!
Thanks in advance for your help!!
DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK
Run by HomePC at 2:33:22.52 on Sun 02/06/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.5015 [GMT -8:00]
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Comodo\SecureEmail x64\ComodoSE.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\HomePC\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = www.msn.com
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360111g106p0305v145r4881s217
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360111g106p0305v145r4881s217
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Global Registration] "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BestSpywareScanner.exe] C:\Program Files (x86)\Best Spyware Scanner\BestSpywareScanner.exe
mRun: [BSSHelper.exe] C:\Program Files (x86)\Best Spyware Scanner\BSSHelper.exe -0
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
================= FIREFOX ===================
FF - ProfilePath - C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: C:\Users\HomePC\AppData\Roaming\Mozilla\Firefox\Profiles\uw3yrcgn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
============= SERVICES / DRIVERS ===============
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe --> C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [?]
S2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-8-15 240160]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-1-20 1255736]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
=============== Created Last 30 ================
2011-02-06 07:31:30 -------- d-----w- C:\PROGRA~3\Alwil Software
2011-02-06 07:15:19 -------- d-----w- C:\Users\HomePC\AppData\Local\Apps
2011-02-06 05:15:07 -------- d-----w- C:\Users\HomePC\AppData\Roaming\SUPERAntiSpyware.com
2011-02-06 05:15:07 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-02-06 05:15:01 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-02-06 05:14:59 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-02-05 22:42:33 -------- d-----w- C:\Users\HomePC\AppData\Roaming\Uniblue
2011-02-05 22:42:26 -------- dc-h--w- C:\PROGRA~3\~0
2011-02-05 22:42:13 -------- d-----w- C:\Users\HomePC\AppData\Local\PackageAware
2011-02-05 22:16:03 -------- d-----w- C:\Program Files (x86)\Spyware Cease 2011
2011-02-05 21:56:35 -------- d-----w- C:\PROGRA~3\SecTaskMan
2011-02-05 21:56:31 -------- d-----w- C:\Program Files (x86)\Security Task Manager
2011-02-05 20:58:21 -------- d-----w- C:\Users\HomePC\AppData\Local\Citrix
2011-01-25 06:36:05 -------- d-----w- C:\Program Files (x86)\Orbis Software
2011-01-25 06:35:58 306688 ----a-w- C:\Windows\IsUninst.exe
2011-01-22 21:45:29 1141416 ----a-w- C:\Windows\System32\CEmLSP.dll
2011-01-22 21:45:29 -------- d-----w- C:\Program Files\Comodo
2011-01-22 20:59:36 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2011-01-21 09:27:50 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2011-01-21 07:05:08 -------- d-----w- C:\Windows\SysWow64\Wat
2011-01-21 07:05:08 -------- d-----w- C:\Windows\System32\Wat
2011-01-21 06:51:41 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-01-21 06:51:41 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-01-21 06:51:41 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-01-21 06:51:41 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-01-21 06:51:41 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-01-21 06:51:41 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-01-21 06:51:41 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-01-21 06:51:41 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-01-21 06:51:41 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-01-21 06:51:41 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-01-21 06:49:04 -------- d-----w- C:\Users\HomePC\AppData\Local\Microsoft Help
2011-01-21 06:48:35 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-01-21 06:48:35 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-01-21 06:42:36 -------- d-----w- C:\Users\HomePC\AppData\Local\Adobe
2011-01-21 06:35:59 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2011-01-21 06:29:50 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-01-21 05:52:31 -------- d-----w- C:\Users\HomePC\AppData\Local\Diagnostics
2011-01-21 05:27:22 -------- d-----w- C:\PROGRA~3\WEBREG
2011-01-21 05:14:38 248320 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpfpp70v.dll
2011-01-20 14:58:00 -------- d-----w- C:\Program Files (x86)\Common Files\HP
2011-01-20 14:57:36 -------- d-----w- C:\Program Files (x86)\Common Files\Hewlett-Packard
2011-01-20 14:52:56 880640 ----a-w- C:\Windows\System32\hposwia_p02c.dll
2011-01-20 14:52:56 515072 ----a-w- C:\Windows\System32\hposc_p02a.dll
2011-01-20 14:52:56 1403904 ----a-w- C:\Windows\System32\hpost_p02c.dll
2011-01-20 14:52:43 551424 ----a-w- C:\Windows\System32\hppldcoi.dll
2011-01-20 14:52:35 642360 ----a-w- C:\Windows\System32\hpzids40.dll
2011-01-20 14:52:26 136704 ----a-w- C:\Windows\System32\hpf3l70v.dll
2011-01-20 14:50:11 -------- d-----w- C:\Program Files (x86)\HP
2011-01-18 23:34:37 -------- d-----w- C:\Users\HomePC\AppData\Roaming\Malwarebytes
2011-01-18 23:34:30 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-18 23:34:30 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-18 23:00:41 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{F830D1BD-FF68-4FCB-8F92-3D51A39F0459}\mpengine.dll
2011-01-18 23:00:40 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-18 23:00:18 -------- d-----w- C:\Users\HomePC\AppData\Roaming\QuickScan
2011-01-18 22:59:31 -------- d-----w- C:\Program Files\Common Files\BitDefender
2011-01-18 22:59:04 643872 ----a-w- C:\PROGRA~3\bdinstall.bin
2011-01-18 22:48:48 -------- d-----w- C:\Users\HomePC\AppData\Local\Google
2011-01-18 22:28:12 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-01-18 22:28:12 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-01-18 22:26:56 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\DSETUP.dll
2011-01-18 22:26:56 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\DXSETUP.exe
2011-01-18 22:26:56 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d0b09f601cbb75e\dsetup32.dll
2011-01-18 22:23:43 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-01-18 22:22:23 -------- d---a-w- C:\book
2011-01-18 22:22:02 -------- d-----w- C:\Users\HomePC\AppData\Local\VirtualStore
2011-01-18 22:20:08 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-01-18 22:20:08 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-01-18 22:20:07 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-01-18 22:20:07 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-01-18 22:18:54 -------- d-sh--w- C:\Recovery
==================== Find3M ====================
2011-01-18 22:14:53 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
============= FINISH: 2:33:41.85 ===============