Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post How did you find PC CLEANER PRO on my c ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory monitor motherboard network operating system printer problem ram registry router slow software sound svchost.exe toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Possible Keylogger.

Page 1 of 2 1 2
Reply  
Thread Tools
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
04-Feb-2010, 07:53 PM #1
Possible Keylogger.
I say possible because the only symptoms I have had is that my World of Warcraft account has been hacked 2 times in the last month and I'm not positive if it was through this computer or a different one. I feel like it is most likely this computer though because I use it 95% of the time. After the first account compromise I ran Ad-Aware and did a scan with my antivirus, Zonealarm. After finding nothing I assumed my computer was safe. I was wrong. I have followed a pretty large thread on the WoW forums about how to clean your computer of malware. This is the url of the forum post I followed and posting a hijackthis log is the last step of the process it suggests.

http://forums.wow-europe.com/thread....cId=5383442401

so here is my Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:41 PM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbox.digsby.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbox.digsby.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbox.digsby.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbox.digsby.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://searchbox.digsby.com/search?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [CurseClient] "C:\Program Files\Curse\CurseClient.exe" -silent
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\RunOnce: [Shockwave Updater] "C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" -Update -1103470 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=430&nc_referer=&age=1&hiscore=&sp=0&questi onSet=&r=6046559&width=640&height=480&quality=high"
O4 - Startup: digsby.lnk = C:\Program Files\Digsby\digsby.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 8237 bytes

Thank you for any help you can offer.
Last edited by neo10532; 04-Feb-2010 at 08:48 PM..
Register for free to hide this ad!
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
05-Feb-2010, 11:11 AM #2
Still looking for some help if possible, thanks.
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
06-Feb-2010, 11:50 AM #3
bump >.<
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
07-Feb-2010, 04:19 PM #4
could still use some help. Ty
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Feb-2010, 08:39 AM #5
First clear your Java cache as shown http://www.java.com/en/download/help/5000020300.xml
Then follow advice here and post the logs those programs make in your next reply to this topic
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
08-Feb-2010, 09:21 PM #6
So I have been having problems with gmer. I realized the first few times I tried to run it that if I even touch anything else on my computer while it is running I will completely freeze up and have to do a hard reboot. After that realization I was able to get through a full scan but when I try to save the log at the end my computer becomes unresponsive and completely freezes. If you have any suggestions I would like to hear them. I will give you the 2 logs from dds for now. I also had trouble uninstalling Webroot for some reason. The uninstaller just did not work.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 13:21:54.79 on Mon 02/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2143 [GMT -5:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://searchbox.digsby.com/
uSearch Bar = hxxp://searchbox.digsby.com/ie
mSearch Page = hxxp://searchbox.digsby.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://searchbox.digsby.com/search?q=%s
mSearchAssistant = hxxp://searchbox.digsby.com/ie
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [CurseClient] "c:\program files\curse\CurseClient.exe" -silent
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRunOnce: [Shockwave Updater] "c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE" -Update -1103470 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=430&nc_referer=&age=1&hiscore=&sp=0&questi onSet=&r=6046559&width=640&height=480&quality=high"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{af0fa6d7-96f3-468a-abb7-28be006ea8e9}\IcoUltraMon.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9tku7k54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\9tku7k54.default\extensions\npdyyno@dyyno.com \plugins\npDyyno.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-20 128016]
R0 mrdd;Marvell Removable Disk Control Driver;c:\windows\system32\drivers\mrdd.sys [2009-9-1 18984]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 152616]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-20 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-16 486280]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-2-3 1201640]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sy s [2006-9-24 3584]

=============== Created Last 30 ================

2010-02-04 03:51:49 0 d-----w- c:\program files\MSXML 4.0
2010-02-03 22:04:10 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-03 22:04:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 22:04:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-03 22:03:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 22:03:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 21:56:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-03 21:56:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-03 21:16:53 0 d-----w- c:\program files\MSSOAP
2010-02-03 21:16:34 1563008 ----a-w- c:\windows\WRSetup.dll
2010-02-03 21:16:34 0 d-----w- c:\program files\Webroot
2010-02-03 21:16:34 0 d-----w- c:\docume~1\owner\applic~1\Webroot
2010-02-03 21:16:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-02-03 21:12:19 164 ----a-w- c:\windows\install.dat
2010-02-03 21:06:48 0 d-----w- c:\program files\Uniblue

==================== Find3M ====================

2010-02-08 18:06:55 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-08 18:06:52 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-08 11:05:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-11 02:25:46 98304 ----a-w- c:\windows\DUMP60fc.tmp
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-10-15 01:34:05 38942 ----a-w- c:\program files\uninstall.exe
2008-10-02 22:51:46 3309224 ----a-w- c:\program files\fraps.exe
2008-10-02 22:50:10 176128 ----a-w- c:\program files\fraps.dll
2008-10-02 22:50:04 127488 ----a-w- c:\program files\fraps64.dll
2008-10-02 22:49:46 2635776 ----a-w- c:\program files\fraps64.dat
2008-10-02 22:49:34 159744 ----a-w- c:\program files\frapslcd.dll
2008-10-02 22:43:26 14472 ----a-w- c:\program files\changes.txt
2008-10-02 22:34:56 1840 ----a-w- c:\program files\README.HTM
2006-06-23 18:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe

============= FINISH: 13:22:32.57 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Feb-2010, 04:52 AM #7
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
09-Feb-2010, 02:21 PM #8
ComboFix 10-02-08.09 - Owner 02/09/2010 13:08:26.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2743 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-04 23:26 . 2010-02-04 23:27 -------- d-----w- c:\program files\QuickTime
2010-02-04 03:51 . 2010-02-04 03:51 -------- d-----w- c:\program files\MSXML 4.0
2010-02-03 22:04 . 2010-02-03 22:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-03 22:04 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 22:04 . 2010-02-03 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 22:03 . 2010-02-03 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 22:03 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 21:56 . 2010-02-08 18:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-03 21:56 . 2010-02-08 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\program files\MSSOAP
2010-02-03 21:16 . 2010-02-04 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\program files\Webroot
2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot
2010-02-03 21:16 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-02-03 21:12 . 2010-02-03 21:12 164 ----a-w- c:\windows\install.dat
2010-02-03 21:06 . 2010-02-03 21:06 -------- d-----w- c:\program files\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 18:12 . 2009-05-17 01:07 -------- d-----w- c:\program files\Steam
2010-02-09 18:11 . 2009-05-07 21:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-09 18:11 . 2009-05-07 21:33 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-09 13:26 . 2008-10-16 14:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-09 02:16 . 2009-11-14 00:38 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-08 18:20 . 2008-10-15 02:14 -------- d-----w- c:\program files\uTorrent
2010-02-04 23:32 . 2008-10-15 06:48 -------- d-----w- c:\program files\iTunes
2010-02-04 23:31 . 2008-10-15 06:48 -------- d-----w- c:\program files\iPod
2010-02-04 23:31 . 2008-10-15 06:53 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 23:23 . 2010-02-04 23:23 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-03 03:14 . 2009-06-20 04:18 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-03 00:35 . 2008-10-15 06:15 -------- d-----w- c:\program files\World of Warcraft
2010-02-01 00:18 . 2008-10-15 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-01 00:04 . 2008-10-15 05:45 -------- d-----w- c:\program files\Java
2010-02-01 00:03 . 2009-06-19 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-31 23:33 . 2010-01-05 12:22 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-31 23:33 . 2010-01-05 12:22 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-11 02:25 . 2008-10-14 07:06 98304 ----a-w- c:\windows\DUMP60fc.tmp
2009-12-22 05:21 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-12 18:06 . 2008-10-15 01:58 -------- d-----w- c:\program files\Digsby
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 15:12 . 2009-11-20 15:12 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-20 15:12 . 2009-11-20 15:12 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2008-10-15 01:34 . 2008-10-15 01:34 38942 ----a-w- c:\program files\uninstall.exe
2008-10-02 22:51 . 2008-10-02 22:51 3309224 ----a-w- c:\program files\fraps.exe
2008-10-02 22:50 . 2008-10-02 22:50 176128 ----a-w- c:\program files\fraps.dll
2008-10-02 22:50 . 2008-10-02 22:50 127488 ----a-w- c:\program files\fraps64.dll
2008-10-02 22:49 . 2008-10-02 22:49 2635776 ----a-w- c:\program files\fraps64.dat
2008-10-02 22:49 . 2008-10-02 22:49 159744 ----a-w- c:\program files\frapslcd.dll
2008-10-02 22:43 . 2008-10-02 22:43 14472 ----a-w- c:\program files\changes.txt
2008-10-02 22:34 . 2008-10-02 22:34 1840 ----a-w- c:\program files\README.HTM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-10 1217808]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2010-01-22 1845248]
"Aim"="c:\program files\AIM\aim.exe" [2009-09-16 3634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
digsby.lnk - c:\program files\Digsby\digsby.exe [2008-10-10 137728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2008-10-19 29310]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Webroo tSpySweeperService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\9neoen9\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 mrdd;Marvell Removable Disk Control Driver;c:\windows\system32\drivers\mrdd.sys [9/1/2009 7:45 AM 18984]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [6/23/2008 5:21 PM 152616]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sy s [9/24/2006 10:23 PM 3584]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-02-07 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.3\DriverRobot.exe [2009-09-01 16:10]

2010-02-08 c:\windows\Tasks\wrSpySweeper_L3ACBE60CC80A41498D9FC132DA047ABD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-02-03 20:19]

2010-02-08 c:\windows\Tasks\wrSpySweeper_L3ACBE60CC80A41498D9FC132DA047ABD.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-02-03 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://searchbox.digsby.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9tku7k54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9tku7k54.default\extensions\NPDyyno@dyyno.com \plugins\npDyyno.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 13:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-842925246-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:d6,ed,e3,12,f2,1c,41,5d,d3,d6,0a,4d,41,4b,35,94,f2,89,2f,af, 09,
a0,1d,32,44,d5,94,e6,80,fa,e4,05,a8,ea,c0,cf,68,a0,44,96,5f,48,15,4a,7b,48, \
"rkeysecu"=hex:44,1d,a7,3f,82,84,4a,06,5c,aa,00,ad,4c,6d,3d,a7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7508)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\RTHDCPL.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Last.fm\LastFM.exe
.
**************************************************************************
.
Completion time: 2010-02-09 13:17:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-09 18:17

Pre-Run: 31,580,073,984 bytes free
Post-Run: 33,585,639,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C4A41CB83F576F424E34B1891175E0FC
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Feb-2010, 05:02 PM #9
I can't see any keyloggers, but I also can't see an instaled antivirus

I can see several antispyware programs but no antivirus

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

If that won't run then
Run an online antivirus check from one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
09-Feb-2010, 05:38 PM #10
I had Zone alarm anti virus installed but for some reason it wouldn't let me shut down the antivirus portion of it. It would just freeze up and I would have to shut it down from Task Manager every time I tried to turn off the antivirus. Even after I shut it off from task manager I was getting a notification from combofix that it was running and would interfere. So I ended up uninstalling it so that it wouldn't interfere with combofix. I'll run the kaspersky scan now just to be safe.
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
09-Feb-2010, 06:41 PM #11
Tuesday, February 9, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 09, 2010 21:07:51
Records in database: 3458977

Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics Objects scanned 71644 Threats found 0 Infected objects found 0 Suspicious objects found 0 Scan duration 00:38:34
No threats found. Scanned area is clean. Selected area has been scanned.
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
09-Feb-2010, 06:43 PM #12
Do you have any ideas about how I could get gmer to work? Or do you feel that we don't need to use it after looking at the other logs I have provided?
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
10-Feb-2010, 02:47 PM #13
I wouldn't bother with Gmer now

well nothing so far is showimg any problems so what exactly is hapening now
neo10532's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Feb 2010
Experience: Beginner
10-Feb-2010, 02:58 PM #14
im not having any problems at the moment, the only problem I had was my account being hacked twice in the last month. ive been very paranoid about changing my password from my phone as soon as i use it on my computer since the second time though.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
10-Feb-2010, 03:27 PM #15
*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 12:22 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.